Join Brightsight's security evaluation team
Why work at Brightsight?
- Be part of a multicultural team with highly knowledgeable colleagues from all over the world
- Work for the recognised global leader in security evaluations
- Work with all major developers on their latest innovations
- Enjoy an informal and intellectually challenging work environment
International recruitment
Our recruitment process is straight-forward. We usually start with a (technical) interview. This can be a video call or a face-to-face interview if you live nearby. In some cases, we will give you a short assignment to test your hacking skills and reporting talent. If the results of this step in the process are positive , we will arrange a second interview. We prefer this to be face to face, but we sometimes use video calling. A lab tour is usually included. If we both feel it's a good match, we will end the second interview by talking about your contract.
On-boarding
In your first months at Brightsight, you will complete a training programme with practical workshops and introductions to technical and methodological issues. We prefer to train small groups of new employees who start at the same time. A trainer will also be assigned to train you in your technical field and a colleague will be assigned to guide you in practical matters.
To help you integrate into your living environment, you (and your family) will follow classes to learn Dutch, Spanish or German depending on location.
Regular evaluation meetings with your group manager complete your first year at Brightsight.
Current vacancies
We are looking for people with a fascination for IT security. If you have a background in electrical engineering, physics, computer science, software/hardware engineering, cissp, mathematics, cryptography or a similar field, please get in touch with us!
Location: Meyreuil, France or Delft, The Netherlands
Mobile devices are ubiquitous in everyday life. They provide our modern society with an endless range of applications and advantages. Some of these mobile devices, however, are used to handle sensitive information such as personal, financial or even medical data. Such data needs to be adequately secured and protected.
What are you going to do?
You will be part of a multidisciplinary team of international experts evaluating the security of cutting-edge mobile devices solutions. Some examples of solutions you will be evaluating are mobile payment, content protection and biometric authentication.
You will thoroughly examine the software-based security implementations of mobile and other connected devices. Specifically on platforms such as Android, embedded Linux or iOS. This includes analysing how a given solution works, performing code reviews and executing practical penetration testing to identify potential vulnerabilities. For this, you will work in our state-of-the-art laboratory to instrument code binaries using advanced reverse engineering techniques and investigate the extent to which the security protections can be circumvented.
You will also participate in R&D projects in the context of mobile software-based security by developing and replicating new attacks, increasing the efficiency of the evaluations, etc.
Your hard skills
- Software Security BS degree or higher (MSc, PhD) on Computer Science, or disciplines such as Electronics, Physics or Mathematics, or proven work experience as software security engineer.
- Good knowledge of mobile platform environments, such as Android, embedded Linux or iOS, and its security principles and related coding languages (Java, C, C++, assembly). You are familiar with technical concepts behind mobile platform technologies, particularly the controller architectures (ARM, x86).
- Familiar with reverse engineering on binaries and applications, familiar with static and dynamic software reverse engineering analysis tools.
- Knowledge of techniques, standards and state-of-the-art capabilities for authentication, cryptography, security vulnerabilities and counter measures is highly desired.
- A willingness to learn in a fast pace changing environment.
- A keen interest in all aspects of security research and development.
Your soft skills
- You can work both individually and together with fellow team members.
- You never give up, but know when you’ve done enough. Security analysis of mobile applications is like an obstacle race. Successfully finding your way around secure implementations requires perseverance and resourcefulness.
- You never get tired of learning new concepts and are always up to date with the latest developments and publications. Security is a constantly moving target. You are eager to use your creativity to do new things every day.
- Security is a complex and challenging field. The key to successfully performing a thorough and adequate security evaluation lies in a good cooperation with your colleagues. You enjoy working in a collaborative manner and getting the best out of a team, keeping in mind your sense of organisation and accountability.
- Our security evaluations are concluded by writing a detailed evaluation report. Good writing and communication skills in English are essential.
Location: Delft, Netherlands
One of the most powerful techniques to test a product's security is fault injection. Such attacks aim at modifying the circuit’s behaviour in order to access protected assets. Many types of fault injection attacks have been developed during the past decades, posing a critical threat for modern secured products. Fault Injection Security Evaluators use a wide range of attack methods to evaluate the security of a product.
The position
Fault injection attacks are performed in several steps, using various methods. Your daily activities involve (but are not limited to) cooperation with code and/or hardware reviewers to understand the product and its vulnerabilities, hands-on experiments in our lab, result analysis and reporting. As a Fault Injection Security Evaluator, you will be trained in these activities by an experienced colleague. Once fully trained, you will become an independent Evaluator. As attacks and products are constantly evolving, you will keep learning with the team.
Understanding the product
A fault injection test is usually one task of a larger evaluation project. These projects start with an implementation review (hardware and/or code) to identify potential vulnerabilities. This review is done by code and/or hardware reviewers who then create a test plan based on the identified vulnerabilities.
Your task starts by building an understanding of the product: its architecture, the vulnerability you are assessing, the target operation you need to attack, etc. Typically, this information is also part of the test plan and you will discuss this during the project with the rest of the team. Understanding the architecture of a microcontroller/smart card, crypto algorithms such as DES, AES, RSA, ECC etc., or payment protocols will be helpful to understand the product. This will be the first part of your training if you have no experience in this area.
Fault injection experiments
Once you have understood the product, you will prepare product samples for testing. This step can involve various preparation techniques like mechanical or chemical removal of packaging, chip thinning, the preparation of test circuit boards, etc. Skills like understanding and/or designing electronic circuits or experience with lab equipment like oscilloscopes will be helpful but they – as well as any skills needed to prepare the samples – will also be part of the training and are not mandatory.
Once the sample is prepared, you will need to write a test script (typically in JavaScript) which performs the attack on one of the various fault injection set-ups present at Brightsight. The techniques you will encounter include voltage manipulation (VM), body bias injection (BBI), electro-magnetic fault injection (EMFI) and light manipulation (LM) using various laser set-ups. During the second part of your training, you will learn how to prepare your sample and how to use all of our fault injection set-ups.
Analysis of the experiments results
As part of the experiments, you will assess the impact of the manipulation attempts performed e.g. by analyzing the response to a target command. You will need to determine whether the product you are attacking has activated countermeasures or whether you have successfully injected a fault. This is an iterative process, based on the results of several experiments for each of which you will actively choose the various parameters needed to thoroughly test the product. During this phase, you will discuss your results with the team and the code or hardware reviewer to understand better any unexpected activity you may observe.
Writing a report
As a final step, you will write a technical report to describe the experiments that you have performed as well as the results you have achieved. An important part of the report is your well supported conclusion with regard to the security of the product. The report must be understandable for internal and external entities, so it is important that you can determine what is important or not and have good writing skills in English.
Other activities
Besides the above-mentioned activities, fault injection security Evaluators are involved in the development of (hardware or software) tools and R&D of new attacks.
Job requirements
- We are looking for people with a BSc or MSc degree in a technical field (Electronics, Physics, Electrical Engineering) with the potential ability to understand and perform the above-mentioned daily activities of Fault Injection Security Evaluators.
- It is important that you like to work in a lab, with oscilloscopes, function generators, and other electronic equipment.
- Having an analytic mind and being a good team player will be a plus.
- Experience in circuit development and knowledge of fault injection attacks are helpful but not mandatory. Brightsight provides a full training program from basics to expert level. Therefore, your motivation, potential and attitude to analyse the products are most important.
- This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
The field of security evaluation is very broad, constantly on the move, and very exciting. We look forward to welcoming you to our team!
Location: Delft, The Netherlands
One of the most powerful techniques to assess the security of a product is the class of side channel attacks. Such attacks aim to retrieve secret information by using information that a product leaks in some indirect ways, such as power consumption, electromagnetic emission, etc. After its advent in 1990’s side channel analysis has become one of the critical threats to the security of modern security products such as smart cards, electronic passports, payment terminals, etc. Side Channel Evaluators will assess these products in terms of their security against state-of-the-art side channel attacks with hands-on experiments and analysis.
Understanding the product
The Side Channel Evaluator starts their tests by building an understanding of the product: the target operation, vulnerability of the product, etc. Typically, this information is delivered by code or design reviewers in the form of a test plan. Understanding of crypto algorithms such as DES, AES, RSA, ECC etc., architecture of a microcontroller/smart card, or payment protocols will be helpful to understand the product.
Measurement of side channel information
Once the sample is prepared, the Side Channel Evaluators measures power consumption or electromagnetic emission of the product using a dedicated measurement set-up.
Analysis of the measured signals
The Side channel evaluator analyses the measured signals first by pre-processing the traces with different kinds of signal processing technics such as noise reduction, trace alignment, frequency domain transformation, etc., and then by applying mathematical methods such as statistical mean, correlation, multivariate-Gaussian model, mutual information, hypothesis testing, Maximum-Likelihood testing etc.
Recent advances in the Deep Learning field have also led us to use this in Side Channel Attacks. Therefore, artificial neural networks (ANN) are now also part of side channel analysis. When only partial information of the secret key is known from the tests, the Side Channel Evaluators needs to estimate the security using probability and entropy theory. A good understanding of the above mentioned mathematics or ANN will be helpful.
Writing a report
Besides the above mentioned activities, Side Channel Evaluators are involved in development of (hardware or software) tools and R&D of new attacks.
Job requirements
- We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics, etc.) with the potential ability to understand and perform the above mentioned daily activities of Side Channel Evaluators.
- A good understanding of mathematics is important, as is possessing an analytic mind.
- Experience of development of electronic circuits and knowledge of crypto algorithms are helpful but not mandatory. Brightsight provides a very good training program from the basics to the expert level. Therefore, potential and attitude to analyse the products are most important.
- This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
- Working with colleagues from different backgrounds and knowledge is also important.
The field of side channel analysis is very broad, constantly on the move, and very exciting. We look forward to welcoming you to our team!
Locations:
Delft, The Netherlands
Graz, Austria
Meyreuil, France
Barcelona, Spain
Madrid, Spain
Beijing, China
Shanghai, China
Singapore
The position
As a Senior Common Criteria Evaluator, you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you will be responsible for the technical and/or methodological quality of the project. You will also use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.
You will represent Brightsight in the field of Common Criteria to customers and during conferences and events. You will be active in defining internal R&D programs and you'll take an active role in supporting project managers during the acquisition of projects.
Our work
Job requirements
- We are looking for people with a bachelor’s or master’s degree in a technical field of study (electronics, physics, IT, mathematics) with proven experience in Common Criteria projects, preferably as an evaluator, but otherwise as a consultant or developer.
- A track record in Common Criteria projects in telecommunication, Integrated Circuits or smart cards is required.
- You are well familiar with the international schemes and you have contributed to several certificates for Common Criteria evaluations.
- In addition, you need to have a hacker mentality and good all-round English language skills.
Location: Delft, The Netherlands
The position
As a source code reviewer you explore the software implementation of various IT products ranging from financial (including mobile payment), (U)SIMs and embedded secure elements to automotive, medical and ID products. Taking a specific product, it is your task to investigate the implemented security mechanisms and to define sophisticated attack scenarios using state-of-the-art attack methods, for example, fault injection using laser, in order to exploit the vulnerabilities you discovered. It is your responsibility to convince product developers of your findings to allow them to improve their products but it is even more important to provide sufficient argumentation to certification schemes why a product is (still) secure.
Brightsight is looking for enthusiastic people who are up for this challenge and believe they have the capabilities to perform these tasks within the evaluations Brightsight performs.
Furthermore, it is important that you take pride in your ability to both understand the security of a product and assess it in the context of the security requirements. Brightsight works for many different types of customers and approval organizations. This means the assessment must be adapted to accommodate different stakeholders every time.
In this position, you will be part of a project team that performs product security evaluations. As a source code reviewer you are in touch with customers who are developing state-of-the-art products including the latest mobile payment applications
You are assessing the implementation of the product and provide feedback to their solution in face-to-face meetings. Customer meetings are internationally oriented, which involves discussions in different cultural contexts. You will document the findings and argumentation for both the product developer and the approval bodies. You will also support colleagues who are executing the attack scenarios you have defined.
As products are changing rapidly as are the attacks applied to these products, source code reviews require constant improvement and adaptation to keep on top of what is out in the field and could threaten products you are currently assessing. You will gain significant knowledge on secure product implementation by having access to different vendor solutions. The interaction with many developers around the world is a great experience that will trigger continuous improvement.
To get up to speed for this position you will participate in the Brightsight training program on Methodology and Technology.
Job requirements
- We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics) that have experience with software development or testing for embedded systems.
- You must have the ability to understand complex designs and apply conceptual thinking to distinguish what is essential from what is less important.
- This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
- Knowledge of (EMV) payment products is an advantage, as is experience with security evaluations, Java Cards, attack techniques and an interest in hacking products.
- You must have a good command of the English language.
Location: Delft, The Netherlands
The position
As an Experienced Payment Terminal Evaluator you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you are responsible for the technical and methodological quality of the project. Your experience must also include taking payment terminal evaluations beyond projects. You will use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.
As Experienced Payment Terminal Evaluator you will represent SGS Brightsight in the field of payment terminals to customers and during conferences and events. You will actively participate in defining internal R&D programs and you will have an active role in supporting project managers during the acquisition of projects.
Our work
Brightsight evaluates the security of products: in many cases a combination of hardware and software. We assess the level of security based on international recognized standards. We work with financial companies such as MasterCard and Visa, certification bodies of governments and – of course – the developers/suppliers/manufacturers of security products. We also support our customers in understanding the security standards and the evaluation process.
Job requirements
- We are looking for people with a bachelor’s, master’s or PhD degree in a technical field (Electronics, Physics, IT, Mathematics) with proven experience in projects involving payment terminals or related devices, preferably as an evaluator, but otherwise as a consultant or developer.
- A track record in payment terminals is required.
- You are well acquainted with the banking schemes and you have contributed to several approvals for payment terminals.
- A hacker mentality.
- All-round good English language skills.
Location: Delft, The Netherlands
We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics. A hacker mentality is certainly welcome, as well as good English language skills.
Locations:
Delft, The Netherlands
Graz, Austria
Meyreuil, France
Barcelona, Spain
Madrid, Spain
Clackamas, Oregon, USA
Columbia, Maryland, USA
Beijing, China
Shanghai, China
Singapore
Our internships
- Automation of evaluation tasks: develop a tool to be used in evaluations.
- Beyond-specification test equipment: develop a device such as a card reader that enables beyond-specification testing.
- Mobile phone data retrieval: develop a proof of concept (application) that can use internals to indirectly eavesdrop data entered.
- Payment terminal attacks: proof of concept of hardware or software attacks, as well as of the combination.
- Protocols: elaborate on publicly known protocols and assess the consequences for evaluation methods and tools.
- Smart cards attacks: improve assessment methods in different domains for data that is retrieved in our measurements.
For an internship we feel that the best assignments are those that you like and want to dive into. Therefore we’d like to find a match between your wishes and our opportunities.
Requirements
- We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics.
- A hacker mentality is certainly welcome.
- All-round good English language skills.
Locations:
Delft, The Netherlands
Graz, Austria
Barcelona, Spain
We are looking for people with a fascination for IT security. If you have a background in electrical engineering, physics, computer science, software/hardware engineering, cissp, mathematics, cryptography or a similar field, please get in touch with us!