Global Product Security's Ethical Hacking Team is responsible for performing in depth security assessments across Oracle's entire product and service portfolio. Over the years, the EHT has built a suite of pioneering security tools used for vulnerability triaging and identification: you will be responsible for their maintenance, improvement and growth, with particular attention to simplicity and usability for the end users.
You will be working closely with our software engineers spread across Oracle worldwide. Your contribution will add vital pieces to the foundations on top of which Oracle constantly improves security for users and clients.
You will be the main responsible person for all our security tools, written in Java, Python and Bash; you will maintain, update and enhance the codebase. You will embed cutting-edge security research techniques in the tools, by reading academic papers and implementing relevant content. You will be responsible for support to end users (bug fixing and enhancement requests) as well as producing documentation, presentations and reports on tools usage, highlighting success cases and ROI.
The EHT is not your run-of-the-mill pentesting gig, we're not only invested in finding bugs but also making sure they are fixed correctly and don't happen again. We need people who can use their skills and share their expertise to effect meaningful change across the company. Along the same lines, being able to describe the impact of a CVSS 10 bugs in terms your audience (both technical and non-technical) will understand, is essential.
A successful candidate must have genuine excitement for and interest in security, as well as the desire to share knowledge and help others learn from the high technical and ethical standards you set. You will learn from the rest of the EHT during real security assessments, and gather expertise on the attack techniques that will sharpen your skills in security testing and you will re-use to improve out tools. Your work will benefit thousands of Oracle engineers worldwide and shape the future of product security within one of the largest software companies in the world.
· Bachelor's or Master's degree in Computer Science or related field
· Combined 7 or more years of experience in security engineering and/or software development; strong application security background is required
· Ability to translate academic work (papers, proof of concepts) in Java/Python algorithms
· Advanced Java knowledge, especially in multi-threading (theory and practice), Object Oriented paradigms (design patterns), REST, HTTP API and filesystem handling
· Knowledge of Linux OS internals. Proficiency with one among Python, Go, Bash, C or C++. Ability to self-teach any language, given appropriate resources and practice time
· Advanced knowledge of data structures and distributed systems
· Experience with SQL database and database optimisation; NoSQL knowledge will be required for the job, and is a desired skill to already posses
· Understanding of the impacts of Big Data; ability to approximate and reduce problems to constant, linear or logarithmic solutions.
· Ability to participate in web, network and infrastructure penetration tests; practical knowledge of common web flaws (SQL injection, XSS, SSRF, upload/download abuse, RCE).
· Understanding of OWASP Top 10, security vulnerability handling and security research practices
· Applied knowledge of cryptography
· Familiarity with networking protocols (e.g. IP, UDP, TCP, HTTP) and related security protocols (e.g. TLS, key exchange)
· Excellent organizational, verbal and written communication skills
· Prior DevOps or continuous delivery and deployment experience is desirable
· Experience working in a large cloud or Internet software company is desirable
· Previous DevOps or continuous delivery and deployment experience
· Previous experiences in a large cloud or Internet software company is preferred
- · Ability to work physically in Reading - Thames Valley Park, for 80% of the time (when Covid-19 restrictions are fully lifted