Amazon

DESCRIPTION

Do you enjoy reading source code to find security issues? Are you passionate about crafting fuzzers and writing proof-of-concept code to demonstrate vulnerabilities? Do you thrive on diving into black-boxes and uncovering security issues? The Infrastructure Security - Threat team does exactly this, combining manual code analysis, advanced fuzzing techniques, and black-box testing to secure the global AWS infrastructure

Our team is responsible for the automated fuzzing assessments of all network devices, products, services, software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers can’t, and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services, so if you love working below the HTTP APIs on network layers, firmware level or operating system internals, this role could be a great fit.

On this team you will be reading and manually reviewing source code in C, C++, Java, go-lang, Python, JavaScript, Rust, and other languages to look for security bugs. At times, you may not have the source code and will need to black box test for security issues. You’ll be writing proof-of-concept (PoC) code to clearly demonstrate the impact of an issue. You will also be retesting and validating fixes to security issues discovered, as well as figuring out new ways to break the fixes themselves.

Key job responsibilities

• Manually audit the source code of infrastructure services and software authored in-house by Amazon
• Audit the security risk of various builds of vendor-provided hardware and software to find security flaws in it as a black-box
• Develop fuzz test harnesses leveraging tools like AFL++, LibFuzzer and honggfuzz to discover vulnerabilities in infrastructure software
• Write proof-of-concept code to demonstrate the severity of a potential security issue
• Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
• Partner with AWS developers to drive improvement in application security as a result of security review engagements
• Provide actionable long term risk mitigation guidance
• Work directly with Principal, Senior Principal and Distinguished Engineers to assess high risk attack surfaces to AWS infrastructure
• Present risk assessment reports and demonstrations to Directors and VPs

A day in the life

• Validate the security of a new device being introduced into the AWS data center
• Verify the code fixes made to address security issues
• Write proof-of-concept code to demonstrate the impact of a security issue
• Assess whether a publicly-disclosed issue is impacting AWS software or firmware components
• Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
• Perform penetration tests on yet-to-be-released software ensuring it meets security requirements early-on during the development phases by collaborating with AWS engineers

About the team

Within AWS, the Infrastructure Security – Threat team is responsible for device security (threat modeling, shift-left security), fuzzing and penetration testing of AWS Infrastructure. InfraSec-Threat is part of the Infrastructure Security organization responsible for threat intelligence, vulnerability management, security information and event management (SIEM), incident response, and overall security across the global AWS infrastructure.

We value work/life balance and plan well so we can be creative in our work as well as our lives.

We value inclusion and diversity because we know diversity brings in creativity.

BASIC QUALIFICATIONS

• CCSP (Certified Cloud Security Professional) or CEH (Certified Ethical Hacker) or CFR (CyberSec First Responder) or Cloud+ or CySA+ (CompTIA Cybersecurity Analyst) or GCED (GIAC Certified Enterprise Defender) or GICSP (Global Industrial Cyber Security Professional) or PenTest+

PREFERRED QUALIFICATIONS

• Bachelor's degree

Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status.

Our inclusive culture empowers Amazonians to deliver the best results for our customers. If you have a disability and need a workplace accommodation or adjustment during the application and hiring process, including support for the interview or onboarding process, please visit https://amazon.jobs/content/en/how-we-hire/accommodations for more information. If the country/region you’re applying in isn’t listed, please contact your Recruiting Partner.