Principal Product Security QA Analyst/Tester - ProdDev

Description


Responsible for developing, applying and maintaining quality standards for company products with adherence to both internal and external standards. Develops and executes software test plans. Analyzes and writes test standards and procedures. Maintains documentation of test results. Analyzes test results and recommends corrective actions.

As a member of the technical/process QA division, you will design functional, integration and regression test plans, build and execute manual and automated tests and perform highly complex analysis for multiple products. Set cross-functional product testing standards. Analyze, evaluate and plan methods of approach and organize means to achieve solutions to complex problems.

Work is non-routine and very complex, involving the application of advanced technical/business skills in area of specialization. Leading contributor individually and as a team member, providing direction and mentoring to others. BS or MS degree or equivalent experience relevant to functional area. 7 years of software engineering or related experience.

Responsibilities

About Oracle Hospitality

Oracle Hospitality delivers a wide range of software, hardware, and related services—along with a rapidly growing portfolio of cloud solutions—to enable our customers in the hospitality industry to provide superior service and experience to their guests anywhere.  Our products are everywhere on the planet earth. If you stayed at an established hotel, you touched our product.

The Oracle Hospitality Product Security Team is a cross-vertical team of application security experts and technical program managers. Our mission is to make our products more secure than ever before. Our team closely collaborates with product development teams in order to ensure that all our products are engineered to the highest application security standard.

Come and join us, if you like hands-on security testing and applied security research.

About The Job

As a Security Engineer, you will perform security testing. You will infuse threat modeling concepts, secure design principles, secure code review methodologies, and novel testing techniques and tools into our software development process. You are not only good at just finding and exploiting vulnerabilities but also helping the teams understanding the security risks and providing actionable advice.

The ideal candidate for this engaging and visible technical role would have the experience of a developer, vulnerability analyst, and security tester. All these qualities bundled up in an affable communicator in order to make our Oracle Hospitality products more secure and usable.

What You'll Do

• Security Testing – You will perform hands-on security testing of multiple products.
• Security Analysis – You will analyze our products’ design, source code, and test cases from a security point of view. You will help constructing threat models, and review existing models to identify additional threats.
• Security Coaching – You will contribute to hands-on coaching of the fundamentals of secure programming, built-in security design concepts, and testing approaches.
• Security Tools Evaluation – You will evaluate state-of-the-art application security tools. As a security engineer, you will evaluate the strengths, weaknesses, scalability and usability of security tools. You will recommend the right tools for a given product.
• Security Program Management – You will collaborate with other security program managers in our team by supporting them in collecting security metrics from numerous artifacts such as the reports of static analysis tools, dynamic testing tools, to name a few.
• Represent Product Security Team – You will represent our team in forums such as corporate security groups within Oracle. You are dependable, proactive, self-motivated, customer-focused, organized, and a good communicator.

What You Need to Have

A BS or MS in Computer Science, Mathematics  or equivalent

Knowledge of:

• Modern Programming languages, such as  Java, C#, C/C++
• Scripting languages, such as Python, Ruby, Bash, etc.
• Detailed understanding of HTTP standard and OWASP Top 10
• Cryptography concepts
• Software engineering principles and design patterns
• At least 5 years of experience working with application software security
• Most importantly, the aptitude to be a good team player
• Willingness to learn and lead our security initiatives (e.g., security code reviews,  testing)
• Willingness to listen to peers and managers
• Methodical approach to troubleshooting complex problems

What the Perfect Candidate Will Have

Deeper Understanding of:

• Reverse Engineering of Architecture/Design from Source Code
• Web Services (e.g., REST APIs, SOAP)
• Threat Modelling (e.g., STRIDE)
• Standard Static and Dynamic Analysis Tools (e.g., Fortify, Burp Suite, Fiddler)
• Automated Random or Fuzz Testing
• Networking, TCP/IP concepts, and TLS protocol
• Inner workings of Cryptography (graduate-level)
• Cloud computing patterns
• Agile/Scrum
• Regulatory Compliance standards (e.g., PCI, GDPR)

Experience with:

• Proof of concept exploits development
• Ethical hacking of industrial systems
• Presenting the results of security testing to development teams
• Publications of applied research work at peer-reviewed conferences (good to have)
• More importantly, passionate about application software security and testing