To support the variety of security evaluations SGS Brightsight performs, we are looking for people who can analyze secure product software and assess its security quality.
For the full version of this vacancy see the following pdf file: Code review skills
Product security is the result of a combination of security provided by hardware and software. In general, security cannot be provided by hardware alone and needs to be complemented by security implemented in software. The smallest details can make the difference between a secure and insecure product. Careful examination is therefore required to judge the security quality. As a source code reviewer you explore the software implementation of various IT products ranging from financial (including mobile payment), (U)SIMs and embedded secure elements to automotive, medical and ID products. Taking a specific product, it is your task to investigate the implemented security mechanisms and to define sophisticated attack scenarios using state-of-the-art attack methods, for example, fault injection using laser, in order to exploit the vulnerabilities you discovered. It is your responsibility to convince product developers of your findings to allow them to improve their products but it is even more important to provide sufficient argumentation to certification schemes why a product is (still) secure.
SGS Brightsight is looking for enthusiastic people who are up for this challenge and believe they have the capabilities to perform these tasks within the evaluations SGS Brightsight performs.
Furthermore, it is important that you take pride in your ability to both understand the security of a product and assess it in the context of the security requirements. SGS Brightsight works for many different types of customers and approval organizations. This means the assessment must be adapted to accommodate different stakeholders every time.
In this position, you will be part of a project team that performs product security evaluations. As a source code reviewer you are in touch with customers who are developing state-of-the-art products including the latest mobile payment applications
You are assessing the implementation of the product and provide feedback to their solution in face-to-face meetings. Customer meetings are internationally oriented, which involves discussions in different cultural contexts. You will document the findings and argumentation for both the product developer and the approval bodies. You will also support colleagues who are executing the attack scenarios you have defined.
As products are changing rapidly as are the attacks applied to these products, source code reviews require constant improvement and adaptation to keep on top of what is out in the field and could threaten products you are currently assessing. You will gain significant knowledge on secure product implementation by having access to different vendor solutions. The interaction with many developers around the world is a great experience that will trigger continuous improvement.
To get up to speed for this position you will participate in the SGS Brightsight training program on Methodology and Technology.
THE JOB REQUIREMENTS
We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics) that have experience with software development or testing for embedded systems. You must have the ability to understand complex designs and apply conceptual thinking to distinguish what is essential from what is less important. This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
Knowledge of (EMV) payment products is an advantage, as is experience with security evaluations, Java Cards, attack techniques and an interest in hacking products. You must have a good command of the English language.