
Principal Security Researcher
City : Waterloo
Category : Software & Systems
Industry : IT
Employer : BlackBerry
Worker Sub-Type:
RegularJob Description:
The security of BlackBerry products is not just part of our heritage; BlackBerry Secure is a passion that runs deep throughout the company. We continue to envision, enable, and secure new forms of communication that are connecting the world in extraordinary ways. We have the most sophisticated end-to-end solutions, and our ideas lead the way in the hottest markets like cybersecurity and autonomous vehicles. We operate from the principle that security should be integrated throughout all stages of the development process and not left as an afterthought. Security is the heart of what we do.
BlackBerry's Product Security team is seeking a Principal Security Researcher to join our highly regarded organization. The successful candidate will work with software engineering groups throughout BlackBerry to ensure our products and services are ready to meet or exceed industry security standards. You will grow our culture of transparency and trust by:
- Performing threat modeling, design assessments, and code analysis of applications, services, and infrastructure.
- Promoting secure development practices at all stages of the software development lifecycle.
- Seeking and harnessing opportunities to embed automated security testing inside development workflows.
We are looking for a motivated self-starter with a passion for software security who is continually looking to learn about new technologies. We are looking for someone who enjoys leading in small teams that partner and influence to develop products with the highest levels of security. In return for your talent and enthusiasm, we will provide you with a broad security playground, the opportunity to learn and take on self-directed projects, and the excitement of contributing to the success of industry-leading secure software solutions!
Do you want to work for a company where security is the number one priority? Do you have a deep interest in all-things-security and a desire to keep growing your knowledge and influence? If so, come join us!
You will get to...
- Lead threat modeling exercises and architecture assessments of complex systems.
- Perform dynamic testing (fuzzing, penetration testing) to identify potential vulnerabilities and weaknesses.
- Identify, and conduct manual code reviews of, sensitive functions / components.
- Integrate security scanning technologies (SAST, DAST, SCA) into CI/CD pipelines, and ensure results are appropriately surfaced to Developers.
- Design tooling and frameworks to make adoption of security best practices easier for Developers.
- Propose and develop automated security test cases to expose security regressions during the development lifecycle.
- Collaborate with Developers and leaders to help triage, prioritize, and remediate weaknesses and vulnerabilities found during security assessments.
- Propose and lead initiatives to scale application security and holistically address classes of reoccurring security vulnerabilities.
- Create security guidance (coding practices, hardening requirements, configuration standards) that will improve application security; peer-review contributions.
- Establish and maintain security-vetted software components and scripts in a central repository for use by Product teams.
- Design and run hacking challenges to teach Development teams about application security.
- Act as a mentor for junior team members and new starters; participate in recruiting activities.
- Undertake continual skills and knowledge development to meet business objectives through attending security conferences, reading / watching material created by security experts outside BlackBerry, and participating in professional training.
We’re looking for someone with...
Critical Skills
- Bachelor's Degree and 8 years' related security experience
- Extensive architectural and security knowledge of four or more of the following areas:
- Application development or security assessment for iOS or Android.
- Application and service development or security assessment for Linux, Windows, or OSX.
- Back end web application development or security assessment.
- Web-related client-server communication methods such as REST, HTTP, and WebSockets.
- Operating systems, device drivers, and related system calls and APIs including POSIX.
- Cloud environments such as AWS and Azure; infrastructure-as-code development or assessment.
- Containerization and virtualization technologies such as Docker and VM's.
- Cryptography, including technologies such as PKI and PQC.
- AuthN and AuthZ technologies including OAuth, SAML, CAs, OTP/TOTP, JWT, PASETO.
- Strong depth demonstrated in four or more of:
- Static Analysis
- Dynamic Analysis
- Threat Modelling
- Design Assessment
- Code Review
- Penetration Testing
#LI-DS1
Scheduled Weekly Hours:
40