Principal Security Engineer

Principal Security Software Engineer

Are you interested in building large-scale distributed software for the cloud? Oracle’s Service Cloud team is building Software-as-a-Service technologies that operate at high scale in a broadly distributed multi-tenant cloud environment. Our customers run their businesses on our cloud, and our mission is to provide them with best in class compute, storage, networking, database, security, and an ever expanding set of foundational cloud-based services.

We’re looking for hands-on engineers with expertise and passion in identifying and resolving difficult security problems in distributed systems, virtualized infrastructure, and highly available services. If this is you, at Oracle you can design and build innovative new systems from the ground up. These are exciting times in our space - we are growing fast, still at an early stage, and working on ambitious new initiatives. An engineer at any level can have significant technical and business impact.

As a Principal Security Software Engineer you will review the software design and development for all components of Oracle’s Service Cloud team. Develops and execute programs and processes to reduce information security risk and strengthen Oracle’s security posture. You should value simplicity and scale, work comfortably in a collaborative, agile environment, and be excited to learn.

Things you'll do:
* Penetration testing
* Hardening of network, software and firmware
* Security tool development (e.g. scanning tools)
* Security metrics definition and delivery
* Consult across different software development teams
* Attack vector modeling
* Champion secure coding practices

Minimum Qualifications: 

• Bachelor’s or Master’s degree in Computer Science or related field
• 7+ years of experience in software engineering or related field
• Experience working in a large cloud or Internet software company preferred
• Strong application/product/software security background
• Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff
• Excellent organizational, verbal and written communication skills
• Ability to succeed through collaboration and working through internal and external organizations and individuals
• Prior DevOps or continuous delivery and deployment experience preferred
• Strong security testing experience with Fortify, Burp, Zap or Webinspect.
• Thorough understanding of latest security principles, techniques, and protocols.
• Security certifications is a plus.
   

Skills Required:

1. Application architecture and design reviews;
2. Penetration Testing and Vulnerability assessments;
3. Web Services and API security assessments;
4. Product Security Assessments and Threat Modeling;
5. Dynamic Vulnerability Scanning using automated application scanners;
6. Execute Secure Code Audits using manual and automated methods to review product codes;
7. Secure SDLC Processes including DevOps and Agile;
8. Knowledge of languages, including Java, .Net, PHP, C++, and XML;
9. Security Testing tools, including Nmap, Nessus, Web Inspect, BurpSuite, ZAP Scanner, Fortify Secure code scanner, SOAP UI, Kali Linux, and Metasploit;
10. Operating Systems including Windows and Linux; 
11. Cryptographic algorithms, hashing algorithms, encryption; and 
12. Network and web related protocols, including TCP/IP, TLS/SSL, HTTP, and FTP.

Detailed Description and Job Requirements

As a member of the software security team, you will assist in defining and developing software for tasks associated with the security testing of software applications. Provide technical leadership to other software developers. Specify, design and implement modest changes to existing software architecture to meet changing needs. Develop, implement, and enforce Oracle’s security policies. Develop, implement, and manage Oracle’s compliance with operational security procedures. Develop Security Review threat model and operationalization standards for cloud services to be built and deployed into Oracle’s Service cloud.

Duties and tasks are varied and complex needing independent judgment. Fully competent in own area of expertise. 

Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans status or any other characteristic protected by law.

Career Level - IC4

Supports the strengthening of Oracle’s security posture, focusing on one or more of the following: risk management; regulatory compliance; threat and vulnerability management; incident management and response; security policy development and enforcement; privacy; information security education, training and awareness (ISETA); digital forensics and similar focus areas.
Risk Management: Brings advanced level skills to assess the information security risk associated with existing and proposed business operational programs, systems, applications, practices and procedures in very complex, business-critical environments.  May conduct and document very complex information security risk assessments. May assist in the creation and implementation of security solutions and programs.
Regulatory Compliance: Brings advanced level skills to manage programs to establish, document and track compliance to industry and government standards and regulations, e.g. ISO-27001, PCI-DSS, HIPAA, FedRAMP, GDPR, etc.  Researches and interprets current and pending governmental laws and regulations, industry standards and customer and vendor contracts to communicate compliance requirements to the business. Participates in industry forums monitoring developments in regulatory compliance.
Threat and Vulnerability Management:  Brings advanced level skills to research, evaluate, track, and manage information security threats and vulnerabilities in situations where in-depth analysis of ambiguous information is required.
Incident Management and response:  Brings advanced level skills to respond to security events, identifying possible intrusions and responding in line with Oracle incident response playbooks. May operate as Incident Commander on serious incidents.
Digital Forensics:  Brings advanced level skills to conduct data collection, preservation and forensic analysis of digital media independently, where an advanced understanding of forensic techniques is required.
Other areas of focus may include duties providing advanced level skills and knowledge to manage Information Security Education, Training and Awareness programs. In Security role, may manage the creation, review and approval of corporate information security policies.
Mentors and trains other team members. 
Compiles information and reports for management.

As a world leader in cloud solutions, Oracle uses tomorrow’s technology to tackle today’s problems. True innovation starts with diverse perspectives and various abilities and backgrounds.

When everyone’s voice is heard, we’re inspired to go beyond what’s been done before. It’s why we’re committed to expanding our inclusive workforce that promotes diverse insights and perspectives.

We’ve partnered with industry-leaders in almost every sector—and continue to thrive after 40+ years of change by operating with integrity.

Oracle careers open the door to global opportunities where work-life balance flourishes. We offer a highly competitive suite of employee benefits designed on the principles of parity and consistency. We put our people first with flexible medical, life insurance and retirement options. We also encourage employees to give back to their communities through our volunteer programs.

We’re committed to including people with disabilities at all stages of the employment process. If you require accessibility assistance or accommodation for a disability at any point, let us know by calling +1 888 404 2494, option one.

Disclaimer:

Oracle is an Equal Employment Opportunity Employer*. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans’ status, or any other characteristic protected by law. Oracle will consider for employment qualified applicants with arrest and conviction records pursuant to applicable law.

* Which includes being a United States Affirmative Action Employer