R&D Principal Software Engineer - Security Response Engineering

Job Description:

R&D Principal Software Engineer - Security Response Engineering

The Elevator Pitch: Why will you enjoy this new opportunity?

Broadcom VMware Cloud Foundation (VCF) products and services are trusted by various organizations for their mission critical systems. Many of these systems demand the highest confidentiality and are of extreme interest to nation state actors. The vSECR team within the VCF Division at Broadcom is responsible for defending these products, services and their supply chains.

If helping find and fix security holes in these systems is your idea of a fun career, then you should come join this team. Working alongside other highly motivated and capable security engineers you will get first-hand experience in modern threats, attack, and defense techniques.

Success in the Role: What are the performance outcomes over the first 6-12 months you will work toward completing?

Security Engineers on the team are responsible for triage, investigation, management and communication of security vulnerabilities reported by external researchers. You will be responsible for assessing threats, analyzing externally reported vulnerabilities, supporting teams in providing vulnerability mitigations, virtual patches, workarounds and fix recommendations. You will maintain the highest quality of work while driving programs to completion, prioritizing incoming requests, contending priorities and managing high profile communications. You will work closely with a variety of teams across Broadcom to achieve our goal of protecting our customers. The role will focus on the growth and management of VCF products from a security perspective and will require involvement in the authoring of VMware Security Response Center (vSRC) communications including security advisories, blogs and knowledge base articles.

In the first 6mths, you will be expected to become intimately familiar with VCF products/components assigned to you. You should also be able to reproduce externally reported security issues in those components, engage with external reporters and drive fixes into patch releases, in collaboration with a member of your team. Within 1 year, you are expected to be fairly independent in doing security assessments and driving mitigations/remediations with product development and release teams, while being proactive with security researcher engagement.

The Work: What type of work will you be doing? What assignments, requirements, or skills will you be performing on a regular basis?

• Oversee all aspects of the security response process from triage to remediation and communication of high profile externally reported vulnerabilities
• Reproduce externally reported vulnerabilities, assess for lateral impact and develop proof of concepts for those vulnerabilities
• Provide tools (Scripts/checklists) for development teams to verify if their products are impacted as well as validate fixes
• Work with tools such as Blackduck, Burp, Nessus, and Coverity for security defect discovery. Be familiar with OSS vulnerability discovery platforms like vulnhub, GHSA, openwall, etc.
• Assess OSS vulnerabilities for potential impact to VCF products
• Proficient in Python and at least one of C/C++ or Java
• Enable models and IOCs for SOC to detect similar families of TTPs
• Make entire kill-chain understandable to an engineering audience
• Partner with different business units across Broadcom to build and support processes to support a high profile response
• Build PSIRT expertise, creating, maintaining and enhancing process and policy documentation
• Define and report program roadmap, status, development issues and success metrics for High Profile process
• Perform RCCA and present on high profile vulnerabilities to executive staff
• Monitor and develop intelligence sources to maintain situational awareness of the cyber threat landscape
• Work with a diverse group of stakeholders from technical to executive level
• Bachelor's degree in Computer Science or related field and 12+ years of related experience or Masters degree in Computer Science or related field and 10+ years of related experience