Static Analysis Security Researcher, Information Security

Job Expired

Summary

Posted: Mar 11, 2022

Weekly Hours: 40

Role Number:200308341

This position can be located in Seattle (WA), Santa Clara Valley (CA) or Austin (TX).

Imagine what you could do here. At Apple, new ideas have a way of becoming extraordinary products, services, and customer experiences very quickly. Bring passion and dedication to your job and there’s no telling what you could accomplish! Apple is seeking an exceptional security researcher to identify and build static analysis detections and/or tooling relevant to the technology, security concerns, and classes of software vulnerabilities relevant to Apple. We’re a diverse collection of problem solvers and doers, continually reimagining our products, systems, and practices to help people do what they love in new ways. This is a deeply reciprocal place, where everything we build is the result of people in different roles and teams working together to make each other’s ideas stronger. That same real passion for innovation that goes into our products also applies to our practices, strengthening our dedication to leave the world better than we found it!

Experience with identifying security vulnerabilities through source code review
Experience manually testing web applications or enterprise penetration testing
Experience with programming languages like Python, Go, Java, Ruby, Objective-C, Swift, Rust
Understanding of Abstract Syntax Tree (AST) generation and other code transformation methodologies
Proficiency in either macOS or other Unix related operating systems (eg, Linux, BSD, Solaris, etc)
Ability to explain basic networking concepts (routing, ACL, load balancers, SSL/TLS, TCP) in order to provide application architecture feedback
Background in web application development and/or infrastructure as code engineering strongly preferred
Strong verbal and written communication skills
Passion for discovering and researching new vulnerability identification techniques

– Analyze Apple’s source code, conduct research to automate identification of dependency supply chain, and automate identification of the technologies used in Apple’s source code – Analyze vulnerability history to report security concerns and classes of software vulnerabilities relevant to Apple – Assess existing static analysis technologies for integration into Apple security tooling – Research methods for applying static analysis detections to infrastructure as code environments – Based on the above analysis, identify and prioritize static analysis detection opportunities – As time allows, stay up-to-date with Apple product and service development by conducting security architecture review, manual application security testing, and source code auditing Other responsibilities include: – Conduct manual application security testing and source code auditing for a variety of technologies. – Provide clear and detailed risk assessment and remediation guidelines for developers and business owners. – Conduct security architecture review of the full stack including applications built on cloud and emerging technologies. – Improve Apple’s automated defect detection build process, including our quality assurance test suite – Document and evangelize to internal Apple development teams, the process for giving static analysis rules – Mentor other security engineer team members to develop and give static analysis detections – Help other security engineers and developers to contribute static analysis rules or tooling – Research the latest standard methodologies, trends, threats and vulnerabilities, and technology frameworks – Research and develop tools to enhance static analysis framework capabilities (e.g. accuracy, coverage, and efficiency of detections) – Producing vulnerability proof of concepts and writing clear remediation guidance to aid development teams

BS in Computer Engineering with specialization in Information Security or 4+ years of equivalent, hands-on information security experience in a large enterprise environments a plus.