Listing Description

GitHub is changing the way the world builds security software and we want you to help change the way we secure GitHub. We are looking for an experienced application security engineer to join our Product Security Engineering (PSE) Assessment team.
GitHub's Assessment team is responsible for identifying security gaps in our software through runtime and static software security testing, participating in deeply technical threat models, executing Rapid Risk Assessments (RRAs), and providing consultative functions to both engineers as well as other Security team members.

We're looking for an engineer with a zest for securing modern software stacks through the identification of security vulnerabilities to join the team. You will not only identify security gaps in our software and services, but will also collaborate with team members across the organization to ensure GitHub is most trustworthy platform for developers everywhere to create and build software.
Discovering vulnerabilities is only one step in our Security Development Lifecycle. The Assessment team continually and regularly contributes to preemptive security efforts such as guiding secure code standards, consultation on external security assessments and audits, and assisting our incident response teams with variant analysis.

Responsibilities

• Participate in and drive application security review at all parts of the Software Development Lifecycle, including threat modeling, code review and dynamic testing


• Consulting with engineers to design secure code


• Collaborating with engineers to track vulnerability resolution


• Assist in automating testing to detect vulnerabilities at scale


• Assist in variant analysis during our incident response process to identify similar vulnerabilities across our code bases and ensure thorough remediation

Minimum Qualifications

• Extensive experience in application security principles, best practices and common web security vulnerabilities


• Significant experience scoping and executing application security testing and code review across complex code bases


• Experience with performing threat modeling


• Excellent written and verbal communication skills allowing you to clearly explain intricate vulnerabilities and technically sound mitigations


• Fundamental knowledge of HTTP, twirp, gRPC, git and network protocols and standards such as DNS and TCP/IP

Bonus points if you have

• Experience in Cloud architecture security (ex: Azure, AWS, GCP)


• Experience utilizing GitHub product features, such as GitHub Actions


• Industry standard certifications (OSCP, OSWE, etc.)


• Experience and expertise using CodeQL as well as writing CodeQL queries