Job Description

Job Description Principal Security Software Engineer Are you interested in building large-scale distributed software for the cloud? Oracles Service Cloud team is building Software-as-a-Service technologies that operate at high scale in a broadly distributed multi-tenant cloud environment. Our customers run their businesses on our cloud, and our mission is to provide them with best in class compute, storage, networking, database, security, and an ever expanding set of foundational cloud-based services. Were looking for hands-on engineers with expertise and passion in identifying and resolving difficult security problems in distributed systems, virtualized infrastructure, and highly available services. If this is you, at Oracle you can design and build innovative new systems from the ground up. These are exciting times in our space - we are growing fast, still at an early stage, and working on ambitious new initiatives. An engineer at any level can have significant technical and business impact. As a Principal Security Software Engineer you will review the software design and development for all components of Oracles Service Cloud team. Develops and execute programs and processes to reduce information security risk and strengthen Oracles security posture. You should value simplicity and scale, work comfortably in a collaborative, agile environment, and be excited to learn. Things you'll do:* Penetration testing* Hardening of network, software and firmware* Security tool development (e.g. scanning tools)* Security metrics definition and delivery* Consult across different software development teams* Attack vector modeling* Champion secure coding practices Minimum Qualifications: Bachelors or Masters degree in Computer Science or related field 7+ years of experience in software engineering or related field Experience working in a large cloud or Internet software company preferred Strong application/product/software security background Ability to effectively assess and communicate risks and appropriate levels of urgency to management and engineering staff Excellent organizational, verbal and written communication skills Ability to succeed through collaboration and working through internal and external organizations and individuals Prior DevOps or continuous delivery and deployment experience preferred Strong security testing experience with Fortify, Burp, Zap or Webinspect. Thorough understanding of latest security principles, techniques, and protocols. Security certifications is a plus. Skills Required: Application architecture and design reviews; Penetration Testing and Vulnerability assessments; Web Services and API security assessments; Product Security Assessments and Threat Modeling; Dynamic Vulnerability Scanning using automated application scanners; Execute Secure Code Audits using manual and automated methods to review product codes; Secure SDLC Processes including DevOps and Agile; Knowledge of languages, including Java, .Net, PHP, C++, and XML; Security Testing tools, including Nmap, Nessus, Web Inspect, BurpSuite, ZAP Scanner, Fortify Secure code scanner, SOAP UI, Kali Linux, and Metasploit; Operating Systems including Windows and Linux; Cryptographic algorithms, hashing algorithms, encryption; and Network and web related protocols, including TCP/IP, TLS/SSL, HTTP, and FTP. Detailed Description and Job Requirements As a member of the software security team, you will assist in defining and developing software for tasks associated with the security testing of software applications. Provide technical leadership to other software developers. Specify, design and implement modest changes to existing software architecture to meet changing needs. Develop, implement, and enforce Oracles security policies. Develop, implement, and manage Oracles compliance with operational security procedures. Develop Security Review threat model and operationalization standards for cloud services to be built and deployed into Oracles Service cloud. Duties and tasks are varied and complex needing independent judgment. Fully competent in own area of expertise. Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans status or any other characteristic protected by law. Career Level - IC4 Career Level - IC4 Responsibilities Supports the strengthening of Oracles security posture, focusing on one or more of the following: risk management; regulatory compliance; threat and vulnerability management; incident management and response; security policy development and enforcement; privacy; information security education, training and awareness (ISETA); digital forensics and similar focus areas.Risk Management: Brings advanced level skills to assess the information security risk associated with existing and proposed business operational programs, systems, applications, practices and procedures in very complex, business-critical environments. May conduct and document very complex information security risk assessments. May assist in the creation and implementation of security solutions and programs.Regulatory Compliance: Brings advanced level skills to manage programs to establish, document and track compliance to industry and government standards and regulations, e.g. ISO-27001, PCI-DSS, HIPAA, FedRAMP, GDPR, etc. Researches and interprets current and pending governmental laws and regulations, industry standards and customer and vendor contracts to communicate compliance requirements to the business. Participates in industry forums monitoring developments in regulatory compliance.Threat and Vulnerability Management: Brings advanced level skills to research, evaluate, track, and manage information security threats and vulnerabilities in situations where in-depth analysis of ambiguous information is required.Incident Management and response: Brings advanced level skills to respond to security events, identifying possible intrusions and responding in line with Oracle incident response playbooks. May operate as Incident Commander on serious incidents.Digital Forensics: Brings advanced level skills to conduct data collection, preservation and forensic analysis of digital media independently, where an advanced understanding of forensic techniques is required.Other areas of focus may include duties providing advanced level skills and knowledge to manage Information Security Education, Training and Awareness programs. In Security role, may manage the creation, review and approval of corporate information security policies.Mentors and trains other team members. Compiles information and reports for management.