The Senior Security Researcher is an applied research role responsible for determining how to detect vulnerabilities in software using automated static analysis. The Research team’s main responsibility is to make sure our application scanning technology is as comprehensive and accurate as possible.
Research the vulnerabilities commonly introduced into software across a variety of programming languages, platforms, and frameworks.
Create rules, attack patterns, and test cases to describe vulnerability detection techniques.
Conduct directed internal research projects aimed at improving automation, accuracy, efficiency, and security of the analysis engine or other components of the Veracode platform.
Assess Veracode’s security analysis capabilities against available manual and automated techniques.
Contribute content to the Knowledge Center to ensure the Veracode platform provides customers with current, accurate, and actionable information.
Perform software security research to discover new vulnerabilities and novel detection techniques for existing vulnerabilities.
Actively engage with the security research community through speaking at industry conferences, publishing research, posting on the Veracode blog, and other means.
Provide mentoring and technical guidance to Application Security Analysts and other members of the Services team.
You should love tackling difficult problems, and you should be able to learn new things quickly and independently. You may be asked produce security requirements for a language or development framework that you’ve had no past experience with, and you will need to do so methodically and comprehensively. It’s also crucial that you’re an effective communicator, as you’ll collaborate frequently with our engineers to guide them in implementing the specifications you create. You’ll also need:
Genuine enthusiasm, not just aptitude, for application security.
A “breaker” mentality; Veracode is on the defensive side of the application security industry, but we believe attackers make the most well-informed defenders. The ability to assess the attack surface of a piece of software is extremely important.
3-5 years of practical application security work experience, preferably including some or all of the following: source code auditing, penetration testing, product assessments, vulnerability research, reverse engineering, and related pursuits.
Prototyping ability – the skill to hack something together quick and dirty to solve a problem.
Substantive experience with .NET languages and the ASP.NET web framework, ideally including some development experience. Expertise in other enterprise-grade web architectures (e.g. J2EE) a plus.
Experience using and/or customizing commercial static analysis technologies and familiarity with the capabilities/limitations of static analysis is a major plus.
Expertise in mobile application development for iOS and Android a plus.
Excellent attention to detail, quality, and customer satisfaction. Former consulting experience is a plus, because occasionally you’ll interact directly with customers.
Strong analytical, organizational, and technical writing skills.
Ability to work effectively in a fast-paced, high energy startup environment.
B.S. in Computer Science or equivalent work experience.