Product Security Engineer - Threat Labs

Product Security Engineer - Threat Labs

  

This role has been designated as ‘Remote/Teleworker’, which means you will primarily work from home.

Who We Are:

Hewlett Packard Enterprise is the global edge-to-cloud company advancing the way people live and work. We help companies connect, protect, analyze, and act on their data and applications wherever they live, from edge to cloud, so they can turn insights into outcomes at the speed required to thrive in today’s complex world. Our culture thrives on finding new and better ways to accelerate what’s next. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good. If you are looking to stretch and grow your career our culture will embrace you. Open up opportunities with HPE.

Job Description:

   

Job Description
The Senior Security Engineer/Threat Researcher position will be part of Aruba Threat Labs, an internal product security group focused on researching and improving the security of HPE Aruba Networking’s products, the company’s secure development practices, and the company’s vulnerability disclosure processes. Based in the Office of the CTO, the Senior Security Engineer/Threat Researcher will have responsibility across Aruba’s entire product portfolio, including LAN switching, Wi-Fi, Network Access Control, cloud, and security monitoring solutions.

Specific responsibilities will include:

• Conduct advanced security assessments of HPE Aruba networking products, including manual code reviews and penetration testing, to uncover vulnerabilities such as memory-unsafe errors, insecure deserialization, and authentication/authorization flaws.

• Develop proofs of concept (PoCs) to demonstrate the exploitability of identified vulnerabilities and provide actionable remediation guidance to engineering teams when requested.

• Develop and maintain custom tools to assist in vulnerability discovery, exploit development, and tracking and disclosure of vulnerabilities to the public.

• Assist in managing Aruba’s bug bounty program, collaborating with external researchers and product engineering teams to triage, reproduce, and remediate reported vulnerabilities.

• Assist in writing vulnerability disclosure bulletins and managing the process of releasing those bulletins to the public

• Serve as a subject-matter expert on secure coding practices, particularly in memory-safe and memory-unsafe programming languages, and evangelize these practices across product engineering teams.

• Conduct original security research on non-Aruba products and technologies, including discovering new vulnerabilities, publishing papers, and presenting at leading security conferences.

• Positively represent Aruba in the global security community by fostering collaboration with security researchers while balancing the goals of researchers with the needs of our customers.

Requirements:

• B.S. or M.S. in software engineering, computer science, cybersecurity, or a related field (or equivalent experience).

• 7+ years of professional experience in software engineering, vulnerability research, penetration testing, or a related security discipline. Exceptional candidates with less experience but a strong track record of vulnerability discovery will also be considered.

• Programming experience in C and at least one additional language used for secure software development, such as Rust, Go, or Python.

• Hands-on experience with security testing tools and techniques, such as fuzzing, reverse engineering, and exploit development frameworks (e.g., Metasploit, Immunity Debugger, Ghidra, or IDA Pro).

• Understanding of memory-unsafe vulnerabilities, including buffer overflows, use-after-free, integer overflows, and format string vulnerabilities, as well as mitigation techniques such as ASLR, DEP, and stack canaries

• Strong knowledge of web application security, including OWASP Top 10 vulnerabilities such as XSS, SQL injection, XXE, CSRF, and insecure deserialization.

• Familiarity with secure coding practices, threat modeling, and static and dynamic application security testing (SAST/DAST) tools.

• Knowledge of modern cryptographic algorithms and security protocols (e.g., TLS, IPsec, OAuth) and their implementation pitfalls.

• Demonstrated ability to analyze, exploit, and remediate security vulnerabilities in complex codebases.

• Knowledge of modern cryptographic algorithms and security protocols (e.g., TLS, IPsec, OAuth) and their implementation pitfalls.

• Strong written and verbal communication skills, with the ability to create detailed technical reports and convey complex concepts to both technical and non-technical stakeholders.

• Effective problem-solving skills and a strong attention to detail.

• Ability to work independently and collaboratively within a geographically distributed team.

• Due to the nature of the role, must be a US Citizen or a Green Card holder.

Preferred Qualifications:

• Experience with fuzzing frameworks (e.g., AFL, libFuzzer) and advanced static analysis tools.

• Experience with reverse engineering firmware, embedded systems, or IoT devices.

• Familiarity with secure development lifecycles (SDLC) and DevSecOps practices.

• Knowledge of modern cloud architectures and security concerns in cloud-native applications.

• Experience contributing to or managing open-source security projects.

• Certifications such as OSCP, OSWE, or GREM are a plus, but not required.

Additional Characteristics:

• The ideal candidate will be self-driven, curious, and passionate about security research with a proven ability to think like an attacker. They will thrive in a collaborative environment, enjoy mentoring fellow team members, and be enthusiastic about contributing to the broader security community.

Additional Skills:

Cloud Architectures, Cross Domain Knowledge, Design Thinking, Development Fundamentals, DevOps, Distributed Computing, Microservices Fluency, Full Stack Development, Security-First Mindset, User Experience (UX)

What We Can Offer You:

Health & Wellbeing

We strive to provide our team members and their loved ones with a comprehensive suite of benefits that supports their physical, financial and emotional wellbeing.

Personal & Professional Development

We also invest in your career because the better you are, the better we all are. We have specific programs catered to helping you reach any career goals you have — whether you want to become a knowledge expert in your field or apply your skills to another division.

Unconditional Inclusion

We are unconditionally inclusive in the way we work and celebrate individual uniqueness. We know varied backgrounds are valued and succeed here. We have the flexibility to manage our work and personal needs. We make bold moves, together, and are a force for good.

Let's Stay Connected:

Follow @HPECareers on Instagram to see the latest on people, culture and tech at HPE.

#unitedstates

#aruba

Job:

Engineering

Job Level:

TCP_04

    

States with Pay Range Requirement

The expected salary/wage range for a U.S.-based hire filling this position is provided below. Actual offer may vary from this range based upon geographic location, work experience, education/training, and/or skill level. If this is a sales role, then the listed salary range reflects combined base salary and target-level sales compensation pay. If this is a non-sales role, then the listed salary range reflects base salary only. Variable incentives may also be offered. Information about employee benefits offered can be found at https://myhperewards.com/main/new-hire-enrollment.html.

USD Annual Salary: $101,900.00 - $234,500.00

HPE is an Equal Employment Opportunity/ Veterans/Disabled/LGBT employer. We do not discriminate on the basis of race, gender, or any other protected category, and all decisions we make are made on the basis of qualifications, merit, and business need. Our goal is to be one global team that is representative of our customers, in an inclusive environment where we can continue to innovate and grow together. Please click here: Equal Employment Opportunity.

Hewlett Packard Enterprise is EEO Protected Veteran/ Individual with Disabilities.

   

HPE will comply with all applicable laws related to employer use of arrest and conviction records, including laws requiring employers to consider for employment qualified applicants with criminal histories.