Sr. Staff Application Security Engineer

$254,000 - $407,000/Yr

Aurora Group - San Francisco, CA

posted 3 months ago

Full-time - Senior
San Francisco, CA
Crop Production

About the position

Aurora (Nasdaq: AUR) is at the forefront of self-driving technology, aiming to make transportation safer, more accessible, and efficient. The Aurora Driver is a sophisticated self-driving system designed to operate various vehicle types, including freight-hauling semi-trucks and ride-hailing passenger vehicles. This technology underpins Aurora Horizon and Aurora Connect, which are driver-as-a-service products tailored for trucking and ride-hailing. Collaborating with industry leaders such as Toyota, FedEx, and Uber, Aurora is committed to building a transportation ecosystem that enhances road safety and mobility. The Product Security team at Aurora plays a crucial role in identifying, mitigating, and preventing security risks associated with the software, hardware, and services developed by the company. This team is responsible for ensuring secure design and implementation of technology for the Aurora Driver while continuously improving security assurance levels across all products. Key responsibilities include conducting technical security assessments, threat modeling, security code reviews, and vulnerability testing to highlight risks and assist engineering teams in enhancing security measures. We are seeking an experienced Security Engineer with a strong background in application security to lead and improve the overall security posture of our autonomous vehicle platform. In this role, you will perform secure design reviews, identify and prioritize risks, conduct security code reviews, manage the vulnerability management process, and develop secure software development lifecycle practices. You will also advocate for security best practices among engineers and partners, ensuring that security is integrated into every aspect of our technology development.

Responsibilities

  • Perform secure design reviews and threat modeling.
  • Identify and prioritize risks, attack surfaces, and vulnerabilities.
  • Conduct security code reviews of source code changes and advise developers on remediating vulnerabilities and following secure coding practices.
  • Perform technical security assessments and reviews, research, uncover, and reproduce vulnerabilities, design secure protocols and systems, and write tests and fuzzers to drive architecture changes.
  • Manage the vulnerability management process and program through triage, prioritization, tracking, remediation, and validation of vulnerabilities from audits, scans, and external reports.
  • Employ techniques including reverse engineering, fuzzing, and static and/or dynamic analysis.
  • Conduct research to identify new and novel attack vectors against Aurora's products and services.
  • Review, develop, and document secure operational best practices, and provide security guidance for engineers and various internal and external partners.
  • Develop and manage a secure software development lifecycle.
  • Develop and manage a bug bounty program.
  • Research, recommend, and develop security tools and technologies to strengthen defenses against emerging threats and vulnerabilities.
  • Work with Engineering teams and OEMs to ensure successful security assurance of the Aurora Driver platform and services.
  • Advocate, guide, and mentor both security and non-security engineers to instill security best practices through secure architecture, design, and development.

Requirements

  • Ability and desire to write production-quality code in C++, Golang, or Python.
  • Foundational knowledge of operating system security for Linux.
  • Foundational knowledge of the CWE Top 25.
  • Ability to assess software and/or hardware components with and without full knowledge.
  • Ability to work well with other assessment members and engineering partners.
  • Ability to communicate effectively with technical and non-technical audiences.
  • Experience in one or more of the following: risk assessment, threat modeling, incident and emergency response, OS hardening, vulnerability management, pentesting, offensive security or cryptographic protocols and concepts.
  • Experience in vulnerability discovery and analysis, design review, and code-level security reviews.
  • Experience and technical knowledge of security engineering, computer and network security, authentication and security protocols, and applied cryptography.
  • Experience with assessment, development, implementation, and documentation of a comprehensive and broad set of security technologies and processes.
  • Familiarity with automotive protocols and security standards.
  • Experience in Security Assurance / Secure-SDLC processes in an agile / waterfall environment.
  • Experience building and evaluating threat models / risk assessments.
  • Experience and ability to implement best practices related to cryptographic protocols, infrastructure and network security.
  • Minimum 8 years of experience in a security-specific or security-adjacent industry.
  • Minimum 2 years of experience in the robotics or automotive industry or equivalent.

Nice-to-haves

  • Relevant work experience in offensive security, penetration testing or red teaming.
  • Experience implementing various Defense in Depth Strategies to address dynamic threats across various software and hardware stacks.
  • Experience evaluating the security of software, hardware, and services.
  • Foundational knowledge of embedded firmware security and hardware security, preferably in the robotics or automotive space.
  • Familiarity with cloud security (AWS) and infrastructure-as-code.
  • Familiarity with Trusted Platform Modules, HSMs, and trusted boot.
  • A history of giving back to the security industry via open source contributions, published papers, or conference presentations.

Benefits

  • Base salary range of $254k-$407K per year.
  • Annual bonus eligibility.
  • Equity compensation.
  • Comprehensive benefits package.

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service