Pentest Security Engineer II, Devices & Services Pentesting
Amazon - Austin, TX
posted 7 days ago
About the position
The position involves joining Amazon's penetration testing team to detect and exploit vulnerabilities across a wide range of services and devices, including consumer products and satellite systems. The role focuses on conducting thorough reviews of complex workflows, including authentication mechanisms and web applications, while also innovating automation techniques to enhance testing processes. The team operates under the Amazon Devices and Services Trust & Security organization, aiming to protect customer trust and data through security reviews, offensive testing, and vulnerability assessments. The ideal candidate will work closely with builder teams to identify high-impact security vulnerabilities and provide actionable guidance for remediation.
Responsibilities
- Lead and contribute to penetration tests against services and software released by Amazon's Devices & Services organization.
- Work closely with builder teams to scope pentests, develop test plans, find vulnerabilities, develop proof of concept exploits, report findings, and validate patches.
- Analyze and identify security vulnerabilities in source code using both automated and manual static analysis tools and techniques.
- Review and influence technical solutions to mitigate security vulnerabilities by providing actionable long-term risk mitigation guidance.
- Lead impactful security improvements in large product lines through close collaboration with partner builder teams.
- Develop detailed technical documentation describing identified vulnerabilities, associated impact, and recommended remediation.
- Mentor junior penetration testers and cultivate a culture of collaboration and research sharing.
Requirements
- 3+ years of experience identifying, exploiting, and recommending solutions to remediate web application and service API vulnerabilities.
- Experience tracing sources and sinks during code review to identify vulnerabilities and providing contextual remediation guidance.
- Experience designing and reviewing secure system architectures through the use of Threat Modeling incorporating sophisticated and modern attacks.
- Knowledge of cloud service providers and their offerings, preferably AWS, and its various technologies and services.
- Bachelor's degree in Computer Science or related field, or equivalent industry experience.
Nice-to-haves
- Foundational knowledge of hardware security fundamentals.
- Experience in CTF competitions, CVE research, and/or Bug Bounty recognition.
- Experience with applying and assessing Machine Learning technologies.
- Published security research (e.g. conference presentations, whitepapers, blog posts).
Benefits
- Flexible work hours and arrangements
- Career growth opportunities
- Knowledge-sharing and training resources
- Work-life balance initiatives
