Sr. Staff Application Security Engineer

Sr. Staff Application Security Engineer

Requirements

• Ability and desire to write production-quality code in C++, Golang, or Python
• Foundational knowledge of operating system security for Linux
• Foundational knowledge of the CWE Top 25
• Ability to assess software and/or hardware components with and without full knowledge
• Ability to work well with other assessment members and engineering partners
• Ability to communicate effectively with technical and non-technical audiences
• Experience in one or more of the following: risk assessment, threat modeling, incident and emergency response, OS hardening, vulnerability management, pentesting, offensive security or cryptographic protocols and concepts
• Experience in vulnerability discovery and analysis, design review, and code-level security reviews
• Experience in, and technical knowledge of security engineering, computer and network security, authentication and security protocols, and applied cryptography
• Experience with assessment, development, implementation, and documentation of a comprehensive and broad set of security technologies and processes
• Familiarity with automotive protocols and security standards
• Experience in Security Assurance / Secure-SDLC processes in an agile / waterfall environment
• Experience building and evaluating threat models / risk assessments
• Experience and ability to implement best practices related to cryptographic protocols, infrastructure and network security
• Minimum 8 years of experience in a security-specific or security-adjacent industry
• Minimum 2 years of experience in the robotics or automotive industry or equivalent

Responsibilities

• Perform secure design reviews and threat modeling. Identify and prioritize risks, attack surfaces, and vulnerabilities
• Perform security code reviews of source code changes and advise developers on remediating vulnerabilities and following secure coding practices
• Perform technical security assessments and reviews, research, uncover, and reproduce vulnerabilities, design secure protocols and systems, and write tests and fuzzers to drive architecture changes
• Manage the vulnerability management process and program through triage, prioritization, tracking, remediation, and validation of vulnerabilities from audits, scans and external reports
• Employ techniques including reverse engineering, fuzzing, and static and/or dynamic analysis
• Conduct research to identify new and novel attack vectors against Aurora’s products and services
• Review, develop and document secure operational best practices, and provide security guidance for engineers and various internal and external partners
• Develop and manage a secure software development lifecycle
• Develop and manage a bug bounty program
• Research, recommend, and develop security tools and technologies to strengthen defenses against emerging threats and vulnerabilities
• Work with Engineering teams and OEMs to ensure successful security assurance of the Aurora Driver platform and services
• Advocate, guide and mentor both security and non-security engineers to instill security best practices. through secure architecture, design, and development

Preferred Qualifications

• Relevant work experience in offensive security, penetration testing or red teaming
• Experience implementing various Defense in Depth Strategies to address dynamic threats across various software and hardware stacks
• Experience evaluating the security of software, hardware and services
• Foundational knowledge of embedded firmware security and hardware security, preferably in the robotics or automotive space
• Familiarity with cloud security (AWS) and infrastructure-as-code
• Familiarity with Trusted Platform Modules, HSMs, and trusted boot
• A history of giving back to the security industry via open source contributions, published papers, or conference presentations