Security Engineer -- Web Pentester
Summary of the role
Mozilla Enterprise Information Security is responsible for the day to day security of Mozilla systems and properties, including those delivering Firefox to millions of users and powering 10,000+ volunteers and developers.
As a penetration tester for the Mozilla Enterprise Information Security team you will proactively, collaboratively and purposely test and evaluate the operational security stance of key Mozilla services, vendors, systems and integrations as implemented. You will be a primary operative for assessing vendor, SaaS and other proposed implementations and integrations to key Mozilla systems with an eye towards understanding the complete set of security controls for a business function and the actual security assurance those controls provide.
You wonder how things work. You wonder if they can be made to work differently long after others have stopped reading the manual. You understand that penetration testing is more than vulnerability scanning. You are not afraid to responsibly question a vendor’s representation of their security, yet understand that no solution offers perfect security. You understand that a system is more than the sum of its parts and that the parts often include internal, external, vendors, SaaS, cloud providers and in-house components. You are able and eager to work with business-focused people on solutions to mitigate security issues in existing and proposed systems.
Key focus areas
- Participate in recurrent penetration testing/red team exercises at Mozilla
- Perform security reviews of vendor security for proposed services, software purchases, SaaS integrations, and RFPs
- Define, standardize and document the process and artifacts of system and vendor reviews
- Actively test the security stance of our services as provided through SaaS, PaaS, cloud providers, or offices and Mozilla data centers
- Partner with key Mozilla web sites to help them enhance their security posture
- Participate in the Web Security Bug bounty program to help triage reports through to completed remediations
- Determine the effective security stance of Mozilla properties as implemented using a combination of approaches (code reviews, white box, black box testing, hands-on scanning, phishing, social engineering, etc.)
- Validate that security controls perform as expected and planned
- Validate vulnerability ratings through hands-on testing of Mozilla services as implemented in a variety of our operating environments including cloud providers, platform as a service, in house data centers, office locations, etc
- Recommend fixes for vulnerabilities discovered during testing exercises
- Writing exploits and/or proof of concept code that demonstrate the impact of vulnerabilities found
- Regularly test the implementation of security controls and vulnerability ratings of services inside and outside Mozilla, including SaaS, PaaS, cloud providers, etc.
- Integration of continuous penetration testing into a variety of traditional and DevOps environments
- Writing unit tests to alert us on regressions with vulnerabilities
- Automation of both day-to-day and critical functions
- Provide design, architecture, and operational guidance on a variety of projects
Skills and experience
- Bachelor's degree in computer science (or related program) or equivalent work experience
- Demonstrated experience using a mix of commercial, open source and in-house developed tools as needed to exercise security controls, discover weaknesses and test response capabilities
- Able to quickly dive into source code and understand its organization, point out typical dangerous code patterns, provide guidance, etc.
- Demonstrated experience operating in sensitive, operational production environments, red teaming, and/or CTF type events
- 3+ years of experience in hands-on web application penetration testing engagements
- Comfortable discussing security impact, risks, vulnerabilities and threats to a variety of audiences and capable of balancing security with the need to move projects forward
- Comfortable with open and direct communication in a very transparent culture, navigating strong opinions while driving towards organizational goals
We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.