Senior Security Vulnerability Researcher

Job summaryThe Devices and Services (D&S) Trust & Security team works to ensure that our devices and services are designed and implemented to the high standards required to maintain and enhance customer trust. Security and Privacy are paramount to maintaining trust and we need to continue to build trusted products, maintain and operate trusted environments, and advocate trust to customers and stakeholders. The team develops security automation for devices & services, performs penetration testing, and handles and tracks incident responses to resolution. The Trust team is responsible for enabling business growth and innovation while honoring data policies and controls that help protect customer trust. We are responsible for defining and executing on the security and privacy requirements across the entire organization.Are you interested in being part of a top-notch security team covering all Amazon consumer devices (including hardware and low-level functionality) as well as key Amazon services supporting our consumer devices (such as Computer Vision, AppStore, Device Registration, Kindle, etc.)? Amazon Lab126 is looking for skilled and exceptional security researchers to find security issues in our products to better protect our customers. Your work directly impacts the way our customers, teams, and business across the globe get things done. If you care deeply about keeping customers safe, then we have a job for you! You can learn more about security at Lab 126 here: https://www.youtube.com/watch?v=k0UTTxzeGogKey job responsibilitiesIn this role, you will be part of a dedicated team of passionate security engineers performing vulnerability research to detect high impact issues in Amazon consumer products. You will work on identifying vulnerabilities in diverse product stacks spanning multiple architectures, SoCs to identify vulnerabilities in low level embedded software, operating systems, applications, peripherals or web client, web sites, and cloud services as well as introduce defenses to raise the effort for attackers. You will identify detective and preventative technology and automation to reduce the impact of security threats in advance and be directly involved in our response to critical security issues. You will work with security stakeholders within the company, security research community and partner organizations across the ecosystem to address security issues collaboration with product teams and to do the right thing for our organization. You will lead gap analysis efforts to identify learnings to improve product security. You're well-known for your excellent prioritization skills as well as your ability to communicate at all levels of an organization. If you're passionate about finding security bugs, analyzing security exploits, and enjoy seeing your work's impact across Amazon consumer products and services, then this position is for you. A day in the life• Perform vulnerability detection using variety of automated static, dynamic analysis as well as custom tooling (e.g. static analyzers, fuzzers, scanners, analyzers, etc.) to identify device or web services, vulnerabilities and develop proof of concept exploits.• Conduct campaigns to identify vulnerabilities in various platforms, technology stacks across devices (Android based, real time operating systems, protocols - Wi-Fi, BT, RF) and services (web services, cloud infrastructure and mobile applications)• Advocate for raising security bar for product teams by recommending security fixes, technical solutions and designs to enable product teams to mitigate classes of security vulnerabilities.• Perform analysis of publicly reported vulnerabilities and attacks to synthesize areas of proactive focus spanning product stacks.• Develop detailed technical documentation describing identified vulnerabilities, associated impact as well as recommendations for communication with internal engineering stakeholders as well as leadership• Perform analysis of reported issues and work with product, partner and vendor teams to remediate vulnerabilities.

Basic Qualifications

• Bachelor’s degree in Computer Science, Computer Engineering, Electrical Engineering, Cyber Security or a related field• 7+ years relevant work experience• 2+ year of development experience in C, C++, assembly (x86, x86-64, ARM) and/or Java• Experience with at least one scripting language (e.g. python, ruby, bash, JavaScript, Go)

Preferred Qualifications

Master’s degree in Computer Science, Computer Engineering, Electrical Engineering or equivalent. Candidates with experience in at least one of the areas is preferred. • Experience in performing vulnerability research and reporting vulnerabilities in widely used software or sharing contributions via public research, blogging, and presentations with the security community. • Experience in embedded/IoT device security or web services security specifically, with experience of performing software security audits, vulnerability discovery and analysis. • Experience with common software security vulnerabilities and methods of exploitation, such as memory corruption, privilege escalation, web application exploitation, file format vulnerabilities, protocol-based weaknesses, etc.• Experience with static and dynamic tools for vulnerability detection and exploit mitigation techniques• Experience with extracting firmware, reverse engineering a variety of hardware and software, including firmware, operating systems, and applications, binary analysis and proof of concept exploit development. • Knowledge of common wireless connectivity protocols with focus on protocol or implementation security vulnerabilities (e.g. Bluetooth, Wi-Fi, 802.15.4, Zigbee) or hardware security mechanisms, including secure boot, trusted execution environments or operating system internals and associated security issues with emphasis on Linux, Android and common RTOS environments• Experience with analysis tools such as IDA, Ghidra, Radare, Burp Suite, and network traffic dissectors such as Wireshark.o Experience with service-oriented architecture, web services security, AWS/cloud infrastructure securityo Foundation in, and in-depth technical knowledge of, security engineering, computer and network security, authentication, security protocols and applied cryptography.o Knowledge of network and web related protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)keyword:digitalsecurityAmazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit https://www.amazon.jobs/en/disability/us.Pursuant to the Los Angeles Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.