Engineer Security Cryptography Linux

Roles and responsibilities

• Collaborate with other engineers in the Security Hardening team to achieve and retain various Security certifications
• Extend and enhance Linux cryptographic components (OpenSSL, Libgcrypt, GnuTLS, and others) with the features and functionality required for FIPS and CC certification
• Collaborate with external security consultants to test and validate kernel and crypto module components
• Work with external partners to develop security hardening benchmarks and audit + remediation automation for Ubuntu
• Contribute to Ubuntu mainline and upstream projects to land solutions and benefit the community
• Communication and collaboration within and outside Canonical to identify opportunities to improve our security posture, rapidly resolve issues, and deliver high-quality solutions on schedule
  

What we are looking for in you

• Hands-on experience with low-level Linux cryptography APIs and debugging
• Excellent software engineering fundamentals, including prior experience with C development, and the ability to demonstrate such
• Hands-on experience with Linux system administration and shell scripting
• Demonstrated knowledge of security and cryptography fundamentals + direct experience writing secure code and implementing best practices
• Significant development experience working with open source libraries
• Excellent verbal and written communications to enable efficient collaboration with internal and external partners in a remote-first environment
  

Additional Skills That You Might Also Bring

• Prior experience working on FIPS/Common Criteria certified products and in-depth knowledge of the underlying standards
• Prior experience working directly with DISA-STIG or CIS benchmarks, including related audit + remediation tooling (e.g. Compliance as Code)
• Experience working directly with Linux Kernel
• Prior experience with Python, OVAL (Open Vulnerability Assessment Language), and Ansible
• History of contributions to open source projects

Desired candidate profile

1. Cryptography Implementation and Management

• Encryption/Decryption: Implement and manage encryption schemes for data at rest, data in transit, and communication between systems. Use tools like OpenSSL, GPG, and other cryptographic libraries to secure data.
• Key Management: Manage encryption keys securely using tools such as HashiCorp Vault, AWS KMS, or custom key management solutions. Ensure best practices for key lifecycle management (generation, storage, rotation, revocation).
• Cryptographic Protocols: Implement and support secure communication protocols, such as SSL/TLS, IPSec, and SSH, ensuring they meet industry standards for confidentiality and integrity.

2. Linux Security Hardening

• System Hardening: Perform system hardening on Linux servers by configuring and maintaining security best practices, such as disabling unnecessary services, implementing least-privilege access, configuring firewalls (iptables/nftables), and applying security patches.
• SELinux/AppArmor: Configure and manage Security-Enhanced Linux (SELinux) or AppArmor to enforce security policies that protect against unauthorized access to system resources.
• Audit and Logging: Configure Linux audit frameworks (e.g., auditd) and log management tools (e.g., syslog, rsyslog) to monitor for suspicious activities and ensure compliance with security policies.
• Access Control: Set up and manage user and group permissions, configure sudoers file, and apply proper authentication mechanisms (e.g., PAM, two-factor authentication).

3. Security Incident Response

• Incident Detection: Implement and configure intrusion detection/prevention systems (IDS/IPS), monitor for anomalous behaviors, and use tools like OSSEC, Snort, or Suricata.
• Forensics: In the event of a security breach, perform forensic analysis to identify the root cause, scope, and impact of the incident. Analyze logs, file system integrity, and other system artifacts.
• Threat Mitigation: Develop and implement mitigation strategies to reduce vulnerabilities, including deploying patches, security fixes, and configuration changes to prevent further attacks.

4. Vulnerability Assessment and Penetration Testing

• Vulnerability Scanning: Conduct vulnerability assessments on Linux systems using tools like Nessus, OpenVAS, or Lynis to identify security flaws and weaknesses.
• Penetration Testing: Perform penetration tests to identify potential vulnerabilities in the system or network. Use tools such as Metasploit, Burp Suite, or custom scripts to simulate attacks and assess system defenses.
• Security Audits: Conduct security audits to evaluate the effectiveness of security controls, identify weaknesses, and recommend remediation actions.

5. Compliance and Security Best Practices

• Compliance Requirements: Ensure systems are compliant with relevant regulations and standards, such as PCI DSS, HIPAA, GDPR, or FISMA. Implement security controls and audits to meet compliance requirements.
• Security Documentation: Create and maintain detailed documentation of security policies, procedures, and configurations. This includes documentation for cryptographic implementations, incident response procedures, and security audits.
• Security Policies: Develop and enforce organizational security policies, including those related to encryption standards, key management, secure coding practices, and network security.

6. Continuous Improvement

• Research and Development: Stay up-to-date with the latest cryptographic algorithms, Linux security tools, and vulnerabilities. Experiment with new technologies and tools to improve the security posture of Linux systems.
• Automation: Automate security tasks and processes using scripting languages like Bash, Python, or Ansible to enhance the efficiency and reliability of security operations.
• Patch Management: Ensure that systems are regularly patched with the latest security updates and that vulnerabilities are mitigated in a timely manner.