Security Software Engineer

Roles and responsibilities

• Define, implement and document new security features
• Lead security-oriented thinking in a product engineering team
• Analyze, fix, and test vulnerabilities in Canonical and open source Software
• Contribute to Ubuntu and upstream projects to benefit the community
• Audit and analyze source code for vulnerabilities
• Integrate new tools in our security infrastructure, pipelines and processes
• Achieve and retain various security certifications
• Extend and enhance Linux cryptographic components - specifically with modules such as OpenSSL/Libgcrypt - with the features and functionality required for country-specific compliance such as FIPS and CC certification
• Work with external partners to develop CIS benchmarks
• Design and develop hardening automation for Ubuntu
• Monitor the security industry for new developments
• Develop, test and maintain new software capabilities
• Provide guidance and support to other engineering teams
  

What we are looking for in you

• An exceptional academic track record from both high school and university
• Undergraduate degree in Computer Science or STEM, or a compelling narrative about your alternative path
• Drive and a track record of going above-and-beyond expectations
• A thorough understanding of the common categories of security vulnerabilities
• Modern engineering techniques to find and fix them
• Familiarity with open source development tools and methodologies
• Skill in one or more of C, Python, Go, Rust, Java, Ruby or PHP
• Experience as a security champion
• Experience driving security within a wider SDLC process
• Professional written and spoken English
• Experience with Linux (Debian or Ubuntu preferred)
• Excellent interpersonal skills, curiosity, flexibility, and accountability
• Passion, thoughtfulness, and self-motivation
• Excellent communication and presentation skills
• Result-oriented, with a personal drive to meet commitments
• Ability to travel twice a year, for company events up to two weeks each
  

Optional skills we also value

• Clear and effective communication with the team and Ubuntu community members
• Experience working with Linux Kernel
• Security Certification experience and knowledge in FIPS and/or CC
• Experience with OVAL (Open Vulnerability Assessment Language)
• Knowledge of and familiarity with low-level Linux cryptography APIs
• Demonstrated high learning ability
• Performance engineering experience

Desired candidate profile

1. Security Architecture and Design

• Secure Software Design: Collaborate with development teams to design software with security in mind, implementing security principles such as least privilege, defense in depth, and secure by design.
• Threat Modeling: Perform threat modeling on new software applications and systems, identifying potential vulnerabilities and designing mitigations early in the development process.
• Security Requirements: Define security requirements for new applications, systems, and features, ensuring that they are built to withstand known and emerging threats.

2. Vulnerability Management

• Vulnerability Scanning: Use static analysis, dynamic analysis, and other scanning tools to identify vulnerabilities in the codebase and infrastructure.
• Penetration Testing: Perform penetration testing to simulate attacks on applications and infrastructure, identifying and addressing weaknesses before they can be exploited.
• Patch Management: Identify, prioritize, and implement security patches or updates to address vulnerabilities in both third-party libraries and custom code.

3. Secure Software Development

• Secure Coding Practices: Follow and enforce secure coding practices, preventing common vulnerabilities such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and buffer overflows.
• Code Reviews: Participate in or lead security-focused code reviews, ensuring that developers adhere to security standards and best practices.
• Security Testing: Implement automated security tests into the CI/CD pipeline, ensuring that software vulnerabilities are detected as early as possible during the development lifecycle.

4. Incident Response and Threat Detection

• Security Incident Response: Respond to security incidents, helping to identify the scope of the attack, contain damage, and recover. Assist in post-incident analysis and lessons learned.
• Monitoring and Alerts: Set up and configure tools for continuous monitoring of application and infrastructure security. Implement security alerts for suspicious activity or anomalies.
• Log Analysis: Analyze system and application logs for signs of malicious activity or security breaches, ensuring the security infrastructure is effective.

5. Security Automation and Tools

• Automation of Security Testing: Develop or integrate tools that automate security testing, vulnerability scanning, and incident detection to streamline security processes.
• Security Tools: Work with or develop security tools and software, such as firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption technologies, to ensure robust protection across the organization’s infrastructure and applications.
• DevSecOps: Integrate security practices into the DevOps pipeline (DevSecOps) by working on automating security checks within the CI/CD pipeline.