Security Technologist - Penetration Testing
são paulo, state of são paulo, brazil
Posted on Friday, March 31, 2023
About The RoleUber’s Product Security organization is looking for a penetration tester to join our security assessments team. As a member of our in-house pen-test team, your principle mission will be to conduct offensive pen-testing activities against our microservices, applications, infrastructure and data-layer services. You will work closely with our engineering groups to define pen-test scope, lead assessment engagements, and map assessment findings into engineering plans of action for remediation, ultimately guiding our product security uplift activities. This is an outstanding opportunity for an expert offensive pen-tester who is collaborative, and has a healthy sense of curiosity to join Uber Engineering Security to make real positive impacts to our security posture, and help us improve our security designs in our next-gen of systems and services. What You Will Do
- Conduct white-box and grey-box offensive penetration testing against Uber’s mobile applications, front-end & back-end microservices and web services
- Conduct network infrastructure, Public Cloud (AWS and GCP), and data-layer offensive pen-testing
- Perform mobile reverse engineering and/or mobile instrumentation of mobile application products as needed to deliver mobile security assessments.
- Perform manual source code reviews and audits (manual and SCA/SAST code audits) as needed
- Be an expert and ambassador to Uber Engineering for secure coding practices, penetration testing, mobile platform security and all aspects of application and product security
- Perform any other application security or product security related activities or tasks as needed or advised
- Validate 3rd party external pen-test and crowd-sourced application security findings and work with our app security team to prioritize those across to our engineering teams.
- A pen-test certification such as Offensive Security Certified Professional (OSCP) or CEH, OSWE, OSCE, GPEN, GMOB, GWAPT, GXPN, and/or willing to work towards ultimately acquiring one as part of your career path
- 2+ years of relevant engineering or security assessment experience
- Possess a broad knowledge of attack vectors, exploits and mitigations that work at scale or may be linked together for chained attacks
- Experience with assessing with Cloud-native services, service meshes, and Kubernetes-platform based microservices
- Experience with assessment of mobile-based applications (not just web/UI)
- Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to complete pen-test tasks
- Be able to think both offensively (like a hacker) and defensively (evaluating product security and design)
- Ability to create written work product, detailed technical findings documents, and pen-test reports
- You have great interpersonal skills, deep technical ability, and a history of successful execution in the assessments industry. If you enjoy discussing anything from procedural linking tables in kernels to remote code execution in JVMs, then we want you on the team.
- B.S. in Computer Science, Electrical, or Computer Engineering, or equivalent work experience as a software engineering or security practitioner
- Experience with Java, Go, Python or Node.js (bonus points for more than one)
- Familiarity with industry-standard threat modeling, risk modeling and vulnerability classification
- Experience with pre-assessment architectural and API analysis to scope and prepare white-box and grey-box assessments
- Experience working with in-house engineering organizations, S-SDLC/CICD software lifecycle and QA processes
See more open positions at Uber
Something looks off?