Fuzz Testing Engineer, InfraSec-HLS
Amazon.com
Do you enjoy reading source code to find security issues? Are you passionate about crafting fuzzers and writing proof-of-concept code to demonstrate vulnerabilities? Do you thrive on diving into black-boxes and uncovering security issues? The Infrastructure Security - Threat team does exactly this, combining manual code analysis, advanced fuzzing techniques, and black-box testing to secure the global AWS infrastructure
Our team is responsible for the automated fuzzing assessments of all network devices, products, services, software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers can’t, and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services, so if you love working below the HTTP APIs on network layers, firmware level or operating system internals, this role could be a great fit.
On this team you will be reading and manually reviewing source code in C, C++, Java, go-lang, Python, JavaScript, Rust, and other languages to look for security bugs. At times, you may not have the source code and will need to black box test for security issues. You’ll be writing proof-of-concept (PoC) code to clearly demonstrate the impact of an issue. You will also be retesting and validating fixes to security issues discovered, as well as figuring out new ways to break the fixes themselves.
Key job responsibilities
- Manually audit the source code of infrastructure services and software authored in-house by Amazon
- Audit the security risk of various builds of vendor-provided hardware and software to find security flaws in it as a black-box
- Develop fuzz test harnesses leveraging tools like AFL++, LibFuzzer and honggfuzz to discover vulnerabilities in infrastructure software
- Write proof-of-concept code to demonstrate the severity of a potential security issue
- Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
- Partner with AWS developers to drive improvement in application security as a result of security review engagements
- Provide actionable long term risk mitigation guidance
- Work directly with Principal, Senior Principal and Distinguished Engineers to assess high risk attack surfaces to AWS infrastructure
- Present risk assessment reports and demonstrations to Directors and VPs
A day in the life
- Validate the security of a new device being introduced into the AWS data center
- Verify the code fixes made to address security issues
- Write proof-of-concept code to demonstrate the impact of a security issue
- Assess whether a publicly-disclosed issue is impacting AWS software or firmware components
- Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
- Perform penetration tests on yet-to-be-released software ensuring it meets security requirements early-on during the development phases by collaborating with AWS engineers
About the team
Within AWS, the Infrastructure Security – Threat team is responsible for device security (threat modeling, shift-left security), fuzzing and penetration testing of AWS Infrastructure. InfraSec-Threat is part of the Infrastructure Security organization responsible for threat intelligence, vulnerability management, security information and event management (SIEM), incident response, and overall security across the global AWS infrastructure.
We value work/life balance and plan well so we can be creative in our work as well as our lives.
We value inclusion and diversity because we know diversity brings in creativity.
Our team is responsible for the automated fuzzing assessments of all network devices, products, services, software and firmware released by infrastructure product teams. We specialize in digging deep to find security issues that static analyzers can’t, and write tooling and code to identify such issues at scale. The AWS infrastructure is foundational to all AWS services, so if you love working below the HTTP APIs on network layers, firmware level or operating system internals, this role could be a great fit.
On this team you will be reading and manually reviewing source code in C, C++, Java, go-lang, Python, JavaScript, Rust, and other languages to look for security bugs. At times, you may not have the source code and will need to black box test for security issues. You’ll be writing proof-of-concept (PoC) code to clearly demonstrate the impact of an issue. You will also be retesting and validating fixes to security issues discovered, as well as figuring out new ways to break the fixes themselves.
Key job responsibilities
- Manually audit the source code of infrastructure services and software authored in-house by Amazon
- Audit the security risk of various builds of vendor-provided hardware and software to find security flaws in it as a black-box
- Develop fuzz test harnesses leveraging tools like AFL++, LibFuzzer and honggfuzz to discover vulnerabilities in infrastructure software
- Write proof-of-concept code to demonstrate the severity of a potential security issue
- Provide clear communication on security issues to developers and network engineers that help in understanding the issue and testing the fix
- Partner with AWS developers to drive improvement in application security as a result of security review engagements
- Provide actionable long term risk mitigation guidance
- Work directly with Principal, Senior Principal and Distinguished Engineers to assess high risk attack surfaces to AWS infrastructure
- Present risk assessment reports and demonstrations to Directors and VPs
A day in the life
- Validate the security of a new device being introduced into the AWS data center
- Verify the code fixes made to address security issues
- Write proof-of-concept code to demonstrate the impact of a security issue
- Assess whether a publicly-disclosed issue is impacting AWS software or firmware components
- Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
- Perform penetration tests on yet-to-be-released software ensuring it meets security requirements early-on during the development phases by collaborating with AWS engineers
About the team
Within AWS, the Infrastructure Security – Threat team is responsible for device security (threat modeling, shift-left security), fuzzing and penetration testing of AWS Infrastructure. InfraSec-Threat is part of the Infrastructure Security organization responsible for threat intelligence, vulnerability management, security information and event management (SIEM), incident response, and overall security across the global AWS infrastructure.
We value work/life balance and plan well so we can be creative in our work as well as our lives.
We value inclusion and diversity because we know diversity brings in creativity.
Confirm your E-mail: Send Email
All Jobs from Amazon.com