Principal Security Researcher
Role Overview / Description
We are seeking a Principal Security Researcher to join Veracode’s Applied Research Group. The Principal Security Researcher will lead research projects for improving the capabilities and quality of Veracode’s Static Application Security Testing (SAST). They will also conduct original security research to give back to the community and advance its knowledge.
Principal Security Researchers enjoy working independently to solve novel and sometimes difficult technical problems and are able to quickly learn about the security posture and attack surfaces of applications in languages such as Java, Python and Go, as well as others. They work methodically and can clearly and effectively communicate technical information to developers and security practitioners. Principal Security Researchers must be able to drive security decisions and collaborate effectively with developers who implement their research.
- Conduct research to identify potential weaknesses and security vulnerabilities in Java and Python applications, and other languages as well as others as the need arises.
- Describe vulnerabilities and potential exploits, and produce proofs of concept and representative examples to aid engineering teams in building product capabilities
- Engage in binary and source static analysis/reverse-engineering of applications
- Conduct research to improve automation, accuracy, and efficiency of detection techniques and related systems, using both our own proprietary software as well as open-source tools.
- Contribute expertise to Veracode’s customer- and public-facing documentation to ensure information is current, accurate, and actionable
- Mentor and provide technical guidance to developers and researchers
- Actively participate in the software security community by attending and presenting at industry conferences, conducting and publishing original research, contributing articles to the Veracode blog and/or trade blogs and magazines, etc.
Key skills and experience desired:
- 3+ years of practical reverse-engineering or binary static-analysis experience, including familiarity with Abstract Syntax Trees (AST), reflection, or other code transformation approaches; compilers and associated tooling; and decompilers, disassemblers, and/or debuggers used in binary analysis
- 2+ years of practical application security experience, such as source code auditing, penetration testing, product assessment, vulnerability research
- The ability to enter a “breaker” mentality – Veracode is defensively-oriented, but our research requires an offensive mindset, including the ability to assess the attack surface of a piece of software.
- Prototyping ability – must be comfortable producing “quick and dirty hacks” to demonstrate a concept or solve a one-off problem
- Strong professional skills:
- Attention to detail as part of a commitment to quality
- Analytical and organizational capability for advocating, planning, and executing projects independently
- Ability to understand technical and security issues from a customer point of view
- Strong written and verbal communication ability in English, especially technical writing for a developer audience
The following are valuable but not required:
- Experience consulting with internal or external customers
- Enterprise Java experience (as a developer or security consultant).
- Familiarity with Rust, as well as with LLVM bitcode or similar Intermediate Representations (IR).
- Familiarity with Apex applications.
- Experience using software tools such as git, JIRA, and CI/CD automation tools.
In accordance with U.S. pay transparency laws, Veracode provides compensation transparency for roles based in the United States. Click here to view our compensation ranges by grade. Please note, specific compensation may be influenced by various factors including candidates experience, education, and work location.
Job Grade: [Principal]