Product Security Engineer- Aruba Threat Labs

Product Security Engineer- Aruba Threat Labs

  

This role has been designed as ‘Hybrid’ with an expectation that you will work on average 2 days per week from an HPE office.

Who We Are:

Hewlett Packard Enterprise is the global edge-to-cloud company advancing the way people live and work. We help companies connect, protect, analyze, and act on their data and applications wherever they live, from edge to cloud, so they can turn insights into outcomes at the speed required to thrive in today’s complex world. Our culture thrives on finding new and better ways to accelerate what’s next. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good. If you are looking to stretch and grow your career our culture will embrace you. Open up opportunities with HPE.

Job Description:

   

The Senior Security Engineer/Threat Researcher position will be part of Aruba Threat Labs, an internal product security group focused on researching and improving the security of HPE Aruba Networking’s products, the company’s secure development practices, and the company’s vulnerability disclosure processes. Based in the Office of the CTO, the Senior Security Engineer/Threat Researcher will have responsibility across Aruba’s entire product portfolio, including LAN switching, Wi-Fi, Network Access Control, cloud, and security monitoring solutions.

How you'll make your mark:

• Conduct advanced security assessments of HPE Aruba networking products, including manual code reviews and penetration testing, to uncover vulnerabilities such as memory-unsafe errors, insecure deserialization, and authentication/authorization flaws.

• Develop proofs of concept (PoCs) to demonstrate the exploitability of identified vulnerabilities and provide actionable remediation guidance to engineering teams when requested.

• Develop and maintain custom tools to assist in vulnerability discovery, exploit development, and tracking and disclosure of vulnerabilities to the public.

• Assist in managing Aruba’s bug bounty program, collaborating with external researchers and product engineering teams to triage, reproduce, and remediate reported vulnerabilities.

• Assist in writing vulnerability disclosure bulletins and managing the process of releasing those bulletins to the public

• Serve as a subject-matter expert on secure coding practices, particularly in memory-safe and memory-unsafe programming languages, and evangelize these practices across product engineering teams.

• Conduct original security research on non-Aruba products and technologies, including discovering new vulnerabilities, publishing papers, and presenting at leading security conferences.

• Positively represent Aruba in the global security community by fostering collaboration with security researchers while balancing the goals of researchers with the needs of our customers.

About you:

• B.S. or M.S. in software engineering, computer science, cybersecurity or a related field (or equivalent experience).

• 6+ years of professional experience in software engineering, vulnerability research, penetration testing, or a related security discipline.

• Programming experience in C and at least one additional language used for secure software development, such as Rust, Go, or Python.

• Hands-on experience with security testing tools and techniques, such as fuzzing, reverse engineering, and exploit development frameworks (e.g., Metasploit, Immunity Debugger, Ghidra, or IDA Pro).

• Understanding of memory-unsafe vulnerabilities, including buffer overflows, use-after-free, integer overflows, and format string vulnerabilities, as well as mitigation techniques such as ASLR, DEP, and stack canaries

• Strong knowledge of web application security, including OWASP Top 10 vulnerabilities such as XSS, SQL injection, XXE, CSRF and insecure deserialization.

• Familiarity with secure coding practices, threat modeling, and static and dynamic application security testing (SAST/DAST) tools.

• Knowledge of modern cryptographic algorithms and security protocols (e.g., TLS, IPsec, OAuth) and their implementation pitfalls.

• Demonstrated ability to analyze, exploit, and remediate security vulnerabilities in complex codebases.

• Knowledge of modern cryptographic algorithms and security protocols (e.g., TLS, IPsec, OAuth) and their implementation pitfalls.

• Strong written and verbal communication skills, with the ability to create detailed technical reports and convey complex concepts to both technical and non-technical stakeholders. English advanced.

Preferred Qualifications:

• Experience with fuzzing frameworks (e.g., AFL, libFuzzer) and advanced static analysis tools.

• Knowledge of reverse engineering firmware, embedded systems, or IoT devices.

• Familiarity with secure development lifecycles (SDLC) and DevSecOps practices.

• Knowledge of modern cloud architectures and security concerns in cloud-native applications.

• Experience contributing to or managing open-source security projects.

• Certifications such as OSCP, OSWE, or GREM are a plus, but not required.

Additional Characteristics:

• The ideal candidate will be self-driven, curious, and passionate about security research with a proven ability to think like an attacker. They will thrive in a collaborative environment, enjoy mentoring fellow team members, and be enthusiastic about contributing to the broader security community.

Additional Skills:

Accountability, Accountability, Action Planning, Active Learning (Inactive), Active Listening, Agile Methodology, Agile Scrum Development, Analytical Thinking, Bias, Coaching, Creativity, Critical Thinking, Cross-Functional Teamwork, Data Analysis Management, Data Collection Management (Inactive), Data Controls, Design, Design Thinking, Empathy, Follow-Through, Group Problem Solving, Growth Mindset, Intellectual Curiosity (Inactive), Long Term Planning, Managing Ambiguity {+ 5 more}

What We Can Offer You:

Health & Wellbeing

We strive to provide our team members and their loved ones with a comprehensive suite of benefits that supports their physical, financial and emotional wellbeing.

Personal & Professional Development

We also invest in your career because the better you are, the better we all are. We have specific programs catered to helping you reach any career goals you have — whether you want to become a knowledge expert in your field or apply your skills to another division.

Unconditional Inclusion

We are unconditionally inclusive in the way we work and celebrate individual uniqueness. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good.

Let's Stay Connected:

Follow @HPECareers on Instagram to see the latest on people, culture and tech at HPE.

#puertorico

#networking

Job:

Engineering

Job Level:

TCP_04

    

HPE is an Equal Employment Opportunity/ Veterans/Disabled/LGBT employer. We do not discriminate on the basis of race, gender, or any other protected category, and all decisions we make are made on the basis of qualifications, merit, and business need. Our goal is to be one global team that is representative of our customers, in an inclusive environment where we can continue to innovate and grow together. Please click here: Equal Employment Opportunity.

Hewlett Packard Enterprise is EEO Protected Veteran/ Individual with Disabilities.

   

HPE will comply with all applicable laws related to employer use of arrest and conviction records, including laws requiring employers to consider for employment qualified applicants with criminal histories.