Skip to searchSkip to main content
  • Ready for a fascinating career in IT security?

    Join our team of highly skilled security professionals

    Apply here

Join Brightsight's security evaluation team

Why work at Brightsight?

Do you have a background in Electrical Engineering, Physics, Computer Science, Software/Hardware Engineering, CISSP, Mathematics, Cryptography or a similar field? Then we might be looking for you!

  • Be part of a multicultural team with highly knowledgeable colleagues from all over the world
  • Work for the recognised global leader in security evaluations
  • Work with all major developers on their latest innovations
  • Enjoy an informal and intellectually challenging work environment

International recruitment

We recruit internationally. There are two reasons for this: not only do we want the best people available, but we also believe it is useful to have all the nationalities in our company that we see at our international customers, too. With around 30 different nationalities, we can call ourselves a multicultural organisation where everyone shares one passion: security evaluation!

International recruitment is a bit different. Emigration leads to some challenges in addition to changing jobs. But we have a lot of experience in dealing with things like residence permits, language issues, the 30% rule (if applicable), schools and housing, so we can help you with all of that.

Our recruitment process is straight-forward. We usually start with a (technical) interview. This can be a video call or a face-to-face interview if you live nearby. In some cases, we will give you a short assignment to test your hacking skills and reporting talent. If the results of this step in the process are positive , we will arrange a second interview. We prefer this to be face to face, but we sometimes use video calling. A lab tour is usually included. If we both feel it's a good match, we will end the second interview by talking about your contract.

On-boarding

After signing the contract, we start applying for you and your family’s residence permit. This process takes a few weeks and is paid by Brightsight. Once the permit has been arranged, we will book a flight for you to come to our office. In Delft and in San Cugat, we have a house where you can stay for the first days or weeks. You might have to share it with colleagues. People usually find a place to live within a few months.

In your first months at Brightsight, you will complete a training programme with practical workshops and introductions to technical and methodological issues. We prefer to train small groups of new employees who start at the same time. A trainer will also be assigned to train you in your technical field and a colleague will be assigned to guide you in practical matters.

To help you integrate into your living environment, you (and your family) will follow classes to learn Dutch, Spanish or German depending on location.

Regular evaluation meetings with your group manager complete your first year at Brightsight.

Current vacancies

We are looking for people with a fascination for IT security. If you have a background in electrical engineering, physics, computer science, software/hardware engineering, cissp, mathematics, cryptography or a similar field, please get in touch with us!

Mobile Software Security Evaluator (Meyreuil, France or Delft, The Netherlands)
Location: Meyreuil, France or Delft, The Netherlands

Mobile devices are ubiquitous in everyday life. They provide our modern society with an endless range of applications and advantages. Some of these mobile devices, however, are used to handle sensitive information such as personal, financial or even medical data. Such data needs to be adequately secured and protected.

We are looking for Mobile Software Security Evaluators. We will not only consider skilled individuals with years of experience with software security for mobile devices, but also recent graduates seeking to start a successful professional journey. Above all, we want people who are passionate about software security.

What are you going to do?

You will be part of a multidisciplinary team of international experts evaluating the security of cutting-edge mobile devices solutions. Some examples of solutions you will be evaluating are mobile payment, content protection and biometric authentication.

You will thoroughly examine the software-based security implementations of mobile and other connected devices. Specifically on platforms such as Android, embedded Linux or iOS. This includes analysing how a given solution works, performing code reviews and executing practical penetration testing to identify potential vulnerabilities. For this, you will work in our state-of-the-art laboratory to instrument code binaries using advanced reverse engineering techniques and investigate the extent to which the security protections can be circumvented.

You will also participate in R&D projects in the context of mobile software-based security by developing and replicating new attacks, increasing the efficiency of the evaluations, etc.

Your hard skills
  • Software Security BS degree or higher (MSc, PhD) on Computer Science, or disciplines such as Electronics, Physics or Mathematics, or proven work experience as software security engineer.
  • Good knowledge of mobile platform environments, such as Android, embedded Linux or iOS, and its security principles and related coding languages (Java, C, C++, assembly). You are familiar with technical concepts behind mobile platform technologies, particularly the controller architectures (ARM, x86).
  • Familiar with reverse engineering on binaries and applications, familiar with static and dynamic software reverse engineering analysis tools.
  • Knowledge of techniques, standards and state-of-the-art capabilities for authentication, cryptography, security vulnerabilities and counter measures is highly desired.
  • A willingness to learn in a fast pace changing environment.
  • A keen interest in all aspects of security research and development.
Your soft skills

  • You can work both individually and together with fellow team members.
  • You never give up, but know when you’ve done enough. Security analysis of mobile applications is like an obstacle race. Successfully finding your way around secure implementations requires perseverance and resourcefulness.
  • You never get tired of learning new concepts and are always up to date with the latest developments and publications. Security is a constantly moving target. You are eager to use your creativity to do new things every day.
  • Security is a complex and challenging field. The key to successfully performing a thorough and adequate security evaluation lies in a good cooperation with your colleagues. You enjoy working in a collaborative manner and getting the best out of a team, keeping in mind your sense of organisation and accountability.
  • Our security evaluations are concluded by writing a detailed evaluation report. Good writing and communication skills in English are essential.
Fault Injection Security Evaluator (Delft, The Netherlands)
Location: Delft, Netherlands

One of the most powerful techniques to test a product's security is fault injection. Such attacks aim at modifying the circuit’s behaviour in order to access protected assets. Many types of fault injection attacks have been developed during the past decades, posing a critical threat for modern secured products. Fault Injection Security Evaluators use a wide range of attack methods to evaluate the security of a product.

The position

Fault injection attacks are performed in several steps, using various methods. Your daily activities involve (but are not limited to) cooperation with code and/or hardware reviewers to understand the product and its vulnerabilities, hands-on experiments in our lab, result analysis and reporting. As a Fault Injection Security Evaluator, you will be trained in these activities by an experienced colleague. Once fully trained, you will become an independent Evaluator. As attacks and products are constantly evolving, you will keep learning with the team.

Understanding the product

A fault injection test is usually one task of a larger evaluation project. These projects start with an implementation review (hardware and/or code) to identify potential vulnerabilities. This review is done by code and/or hardware reviewers who then create a test plan based on the identified vulnerabilities.

Your task starts by building an understanding of the product: its architecture, the vulnerability you are assessing, the target operation you need to attack, etc. Typically, this information is also part of the test plan and you will discuss this during the project with the rest of the team. Understanding the architecture of a microcontroller/smart card, crypto algorithms such as DES, AES, RSA, ECC etc., or payment protocols will be helpful to understand the product. This will be the first part of your training if you have no experience in this area.

Fault injection experiments

Once you have understood the product, you will prepare product samples for testing. This step can involve various preparation techniques like mechanical or chemical removal of packaging, chip thinning, the preparation of test circuit boards, etc. Skills like understanding and/or designing electronic circuits or experience with lab equipment like oscilloscopes will be helpful but they – as well as any skills needed to prepare the samples – will also be part of the training and are not mandatory.

Once the sample is prepared, you will need to write a test script (typically in JavaScript) which performs the attack on one of the various fault injection set-ups present at Brightsight. The techniques you will encounter include voltage manipulation (VM), body bias injection (BBI), electro-magnetic fault injection (EMFI) and light manipulation (LM) using various laser set-ups. During the second part of your training, you will learn how to prepare your sample and how to use all of our fault injection set-ups.

Analysis of the experiments results

As part of the experiments, you will assess the impact of the manipulation attempts performed e.g. by analyzing the response to a target command. You will need to determine whether the product you are attacking has activated countermeasures or whether you have successfully injected a fault. This is an iterative process, based on the results of several experiments for each of which you will actively choose the various parameters needed to thoroughly test the product. During this phase, you will discuss your results with the team and the code or hardware reviewer to understand better any unexpected activity you may observe.

Writing a report

As a final step, you will write a technical report to describe the experiments that you have performed as well as the results you have achieved. An important part of the report is your well supported conclusion with regard to the security of the product. The report must be understandable for internal and external entities, so it is important that you can determine what is important or not and have good writing skills in English.

Other activities

Besides the above-mentioned activities, fault injection security Evaluators are involved in the development of (hardware or software) tools and R&D of new attacks.

Job requirements
  • We are looking for people with a BSc or MSc degree in a technical field (Electronics, Physics, Electrical Engineering) with the potential ability to understand and perform the above-mentioned daily activities of  Fault Injection Security Evaluators.
  • It is important that you like to work in a lab, with oscilloscopes, function generators, and other electronic equipment.
  • Having an analytic mind and being a good team player will be a plus.
  • Experience in circuit development and knowledge of fault injection attacks are helpful but not mandatory. Brightsight provides a full training program from basics to expert level. Therefore, your motivation, potential and attitude to analyse the products are most important.
  • This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.

The field of security evaluation is very broad, constantly on the move, and very exciting. We look forward to welcoming you to our team!

Side Channel Evaluators (Delft, The Netherlands)
Location: Delft, The Netherlands

One of the most powerful techniques to assess the security of a product is the class of side channel attacks.  Such attacks aim to retrieve secret information by using information that a product leaks in some indirect ways, such as power consumption, electromagnetic emission, etc. After its advent in 1990’s side channel analysis has become one of the critical threats to the security of modern security products such as smart cards, electronic passports, payment terminals, etc. Side Channel Evaluators will assess these products in terms of their security against state-of-the-art side channel attacks with hands-on experiments and analysis.

Understanding the product

The Side Channel Evaluator starts their tests by building an understanding of the product: the target operation, vulnerability of the product, etc. Typically, this information is delivered by code or design reviewers in the form of a test plan. Understanding of crypto algorithms such as DES, AES, RSA, ECC etc., architecture of a microcontroller/smart card, or payment protocols will be helpful to understand the product.

Measurement of side channel information

After understanding the product, the Side Channel Evaluator first prepares a sample product for measurement. Several preparation techniques may be required, for example, removal of the package using an etching machine,  making a circuit board with soldering, etc. Understanding electronic circuits, having experience making them, or experience of using an oscilloscope will be helpful.

Once the sample is prepared, the Side Channel Evaluators measures power consumption or electromagnetic emission of the product using a dedicated measurement set-up.

Analysis of the measured signals

The Side channel evaluator analyses the measured signals first by pre-processing the traces with different kinds of signal processing technics such as noise reduction, trace alignment, frequency domain transformation, etc., and then by applying mathematical methods such as statistical mean, correlation, multivariate-Gaussian model, mutual information, hypothesis testing, Maximum-Likelihood testing etc.

Recent advances in the Deep Learning field have also led us to use this in Side Channel Attacks. Therefore, artificial neural networks (ANN) are now also part of side channel analysis. When only partial information of the secret key is known from the tests, the Side Channel Evaluators needs to estimate the security using probability and entropy theory. A good understanding of the above mentioned mathematics or ANN will be helpful.

Writing a report

As a final step the Side Channel Evaluator needs to write a technical report that includes the details of the tests and the results. This report must be understood clearly by internal and external entities, so it is important to have good writing skills in English.

Besides the above mentioned activities, Side Channel Evaluators are involved in development of (hardware or software) tools and R&D of new attacks.

Job requirements
  • We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics, etc.) with the potential ability to understand and perform the above mentioned daily activities of Side Channel Evaluators.
  • A good understanding of mathematics is important, as is possessing an analytic mind.
  • Experience of development of electronic circuits and knowledge of crypto algorithms are helpful but not mandatory. Brightsight provides a very good training program from the basics to the expert level. Therefore, potential and attitude to analyse the products are most important.
  • This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
  • Working with colleagues from different backgrounds and knowledge is also important.

The field of side channel analysis is very broad, constantly on the move, and very exciting. We look forward to welcoming you to our team!

Senior Common Criteria Evaluator (Many locations)
Locations:
Delft, The Netherlands
Graz, Austria
Meyreuil, France
Barcelona, Spain
Madrid, Spain
Beijing, China
Shanghai, China
Singapore
The position

The Senior Common Criteria Evaluator is an expert in this area and has more than three years of experience in evaluating different products for different customers. With this experience you are able to understand the total field of Common Criteria and the causes of security demands in evaluation methods.

As a Senior Common Criteria Evaluator, you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you will be responsible for the technical and/or methodological quality of the project. You will also use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.

You will represent Brightsight in the field of Common Criteria to customers and during conferences and events. You will be active in defining internal R&D programs and you'll take an active role in supporting project managers during the acquisition of projects.

Our work

Brightsight evaluates the security of products: in many cases a combination of hardware and software. We assess the level of security based on international recognized standards. We work with financial companies such as MasterCard and VISA, certification bodies of governments and – of course – the developers/suppliers/manufacturers of security products. We also support our customers in understanding the security standards and the evaluation process.

Job requirements
  • We are looking for people with a bachelor’s or master’s degree in a technical field of study (electronics, physics, IT, mathematics) with proven experience in Common Criteria projects, preferably as an evaluator, but otherwise as a consultant or developer.
  • A track record in Common Criteria projects in telecommunication, Integrated Circuits or smart cards is required.
  • You are well familiar with the international schemes and you have contributed to several certificates for Common Criteria evaluations.
  • In addition, you need to have a hacker mentality and good all-round English language skills.
Security Evaluators with Code Review Skills (Delft, The Netherlands)
Location: Delft, The Netherlands
The position

Product security is the result of a combination of security provided by hardware and software. In general, security cannot be provided by hardware alone and needs to be complemented by security implemented in software. The smallest details can make the difference between a secure and insecure product. Careful examination is therefore required to judge the security quality. 

As a source code reviewer you explore the software implementation of various IT products ranging from financial (including mobile payment), (U)SIMs and embedded secure elements to automotive, medical and ID products. Taking a specific product, it is your task to investigate the implemented security mechanisms and to define sophisticated attack scenarios using state-of-the-art attack methods, for example, fault injection using laser, in order to exploit the vulnerabilities you discovered. It is your responsibility to convince product developers of your findings to allow them to improve their products but it is even more important to provide sufficient argumentation to certification schemes why a product is (still) secure.

Brightsight is looking for enthusiastic people who are up for this challenge and believe they have the capabilities to perform these tasks within the evaluations Brightsight performs.

Furthermore, it is important that you take pride in your ability to both understand the security of a product and assess it in the context of the security requirements. Brightsight works for many different types of customers and approval organizations. This means the assessment must be adapted to accommodate different stakeholders every time.

In this position, you will be part of a project team that performs product security evaluations. As a source code reviewer you are in touch with customers who are developing state-of-the-art products including the latest mobile payment applications

You are assessing the implementation of the product and provide feedback to their solution in face-to-face meetings. Customer meetings are internationally oriented, which involves discussions in different cultural contexts. You will document the findings and argumentation for both the product developer and the approval bodies. You will also support colleagues who are executing the attack scenarios you have defined.

As products are changing rapidly as are the attacks applied to these products, source code reviews require constant improvement and adaptation to keep on top of what is out in the field and could threaten products you are currently assessing. You will gain significant knowledge on secure product implementation by having access to different vendor solutions. The interaction with many developers around the world is a great experience that will trigger continuous improvement.

To get up to speed for this position you will participate in the Brightsight training program on Methodology and Technology.

Job requirements
  • We are looking for people with a BSc, MSc or PhD. degree in a technical field (Information Security, Computer Science, Electronics, Mathematics) that have experience with software development or testing for embedded systems.
  • You must have the ability to understand complex designs and apply conceptual thinking to distinguish what is essential from what is less important.
  • This job also requires that you communicate knowledge convincingly, both orally and in writing, to internal and external entities.
  • Knowledge of (EMV) payment products is an advantage, as is experience with security evaluations, Java Cards, attack techniques and an interest in hacking products.
  • You must have a good command of the English language.
Experienced Payment Terminal Evaluator (Delft, The Netherlands)
Location: Delft, The Netherlands
The position

The Experienced Payment Terminal Evaluator is an expert in this area and has at least three years of experience in evaluating different types of payment terminals or related devices for different customers. This experience has enabled you to understand the total field of payment terminals, including the security aspects electronics, mechanics, embedded operating systems, security protocols, code review and side-channel analysis.

As an Experienced Payment Terminal Evaluator you will participate in projects for our customers. Often you will have the role of a lead evaluator, which means that you are responsible for the technical and methodological quality of the project. Your experience must also include taking payment terminal evaluations beyond projects. You will use your knowledge and experience to inspire other younger colleagues in their development and communication to customers.

As Experienced Payment Terminal Evaluator you will represent SGS Brightsight in the field of payment terminals to customers and during conferences and events. You will actively participate in defining internal R&D programs and you will have an active role in supporting project managers during the acquisition of projects.

Our work

Brightsight evaluates the security of products: in many cases a combination of hardware and software. We assess the level of security based on international recognized standards. We work with financial companies such as MasterCard and Visa, certification bodies of governments and – of course – the developers/suppliers/manufacturers of security products. We also support our customers in understanding the security standards and the evaluation process.

Job requirements
  • We are looking for people with a bachelor’s, master’s or PhD degree in a technical field (Electronics, Physics, IT, Mathematics) with proven experience in projects involving payment terminals or related devices, preferably as an evaluator, but otherwise as a consultant or developer.
  • A track record in payment terminals is required.
  • You are well acquainted with the banking schemes and you have contributed to several approvals for payment terminals.
  • A hacker mentality.
  • All-round good English language skills.
Internship at Brightsight (All Locations)

Location: Delft, The Netherlands


We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics. A hacker mentality is certainly welcome, as well as good English language skills.

Apply here

Locations:
Delft, The Netherlands
Graz, Austria
Meyreuil, France
Barcelona, Spain
Madrid, Spain
Clackamas, Oregon, USA
Columbia, Maryland, USA
Beijing, China
Shanghai, China
Singapore
Our internships

Brightsight has a range of assignments that can be performed by students from institutions such as the Haagse Hogeschool, Eindhoven University and TU Delft. Examples of previous assignments are:

  • Automation of evaluation tasks: develop a tool to be used in evaluations.
  • Beyond-specification test equipment: develop a device such as a card reader that enables beyond-specification testing.
  • Mobile phone data retrieval: develop a proof of concept (application) that can use internals to indirectly eavesdrop data entered.
  • Payment terminal attacks: proof of concept of hardware or software attacks, as well as of the combination.
  • Protocols: elaborate on publicly known protocols and assess the consequences for evaluation methods and tools.
  • Smart cards attacks: improve assessment methods in different domains for data that is retrieved in our measurements.

For an internship we feel that the best assignments are those that you like and want to dive into. Therefore we’d like to find a match between your wishes and our opportunities.

Requirements
  • We are looking for students in the fields of e.g. Computer Engineering, Electrical Engineering, Informatics, Technical Informatics and Mathematics.
  • A hacker mentality is certainly welcome.
  • All-round good English language skills.
Open vacancy
Locations:
Delft, The Netherlands
Graz, Austria
Barcelona, Spain

We are looking for people with a fascination for IT security. If you have a background in electrical engineering, physics, computer science, software/hardware engineering, cissp, mathematics, cryptography or a similar field, please get in touch with us!

Who we are

Brightsight is a fast-growing IT company with an international company culture (30+ nationalities), based in the Netherlands (HQ), France, Spain, United States, Singapore and China. As a recognised global leader in security evaluations, we work with major IT developers on their latest innovations. This means you will get the opportunity to work with IT products that are still in their development process. We also value a healthy work-life balance, so we have monthly Thursday afternoon drinks with table football and music. Join our team of professionals with years of experience in IT security as well as fresh, young talent!