GoPro is looking for a Purple Team Security Engineer to join our Information Security team to ensure GoPro’s applications and services are designed and implemented to maintain and enhance customer trust. As part of the enterprise Information Security team, you will participate in a position which demands a unique blend of both Red teaming and Blue teaming skillsets.
You will aid in the build-out of a brand-new Red Team for performing attack simulations, adversarial threat modeling, and penetration tests. You will be responsible for discovering vulnerabilities in GoPro products and services, and conduct threat modeling exercises on people, processes, and technologies. You will also design red team exercises in collaboration with internal engineering teams to help improve security incident response and help mature the overall offensive security program.
Efforts on the Blue Team include, but are not limited to, engaging with internal engineering groups to advise on remediating risks pertaining to architecture, products and applications, developing mitigation plans and policy, conducting or aiding in DF/IR, performing static and dynamic application source code analysis, and administering the company’s bug bounty program.
What You Will Do
- Partner with Engineering, Product, IT, and other Security functions to drive security improvement across the organization
- Participate in blue / purple-team exercises to improve efficacy of internal security programs
- Identify software security design and architectural risks, and develop mitigation plans
- Collaboratively define threat models, scope, and prioritize offensive security engagements. Integrate offensive security into security development lifecycle
- Perform security assessments on native, managed, and interpreted software using static and dynamic analysis techniques, white-box, and black-box testing methods
- Research emerging attack vectors and techniques, including targeting user endpoints, cloud platforms & systems, development infrastructure, system integrations, and everything in between.
- Participate in Incident Response and problem remediation
- Design and plan offensive exercises based on research into threat actors most relevant to GoPro’s business operations
- Conduct attacks and emulate attack campaigns to mimic adversarial tactics, techniques, and procedures.
- Develop proof-of-concepts, triage security bugs, and notify the appropriate engineering teams
- Build, modify, and implement tooling and automation to improve the offensive capabilities of the team to meet our evolving objectives and mitigate security threats
- Perform web, mobile, and desktop application penetration testing
- Perform ongoing, proactive testing of GoPro’s internal and external attack surface
- Develop training programs on security-related topics such as threat modeling, user awareness, attack techniques, and mitigation strategies
- Document and effectively contextualize issues with respect to business impact
Skills We’re Excited About
- You have 2+ years of work experience performing vulnerability research, penetration testing, reverse engineering, application and infrastructure security assessment, and adversary emulation exercises.
- BS in Computer Science or equivalent preferred
- Experience implementing security solutions at various company sizes and system complexity
- Experience in tailored reconnaissance, weaponization, exploitation, and lateral movement
- Experience with offensive attack infrastructure development, deployment, and management
- Excellent written and verbal communication skills
- Demonstrated experience developing and deploying custom tailored offensive capabilities
- Experience with security testing tools such as Burp Suite, OWASP, Zap or related
- Knowledge of application, service, API, and endpoint attack techniques
- Experience reviewing source code for control flow and security flaws
- Familiarity with attacking and defending cloud services running in modern cloud environments
- Programming experience in Python and/or Go to build security tools
- Previous experience working in collaborative Red Teams
Bonus Points For
- At least 3 years of system, network and/or application security experience
- Experience with service-oriented architecture and web services security
- Experience with the application of threat modeling or other risk identification techniques Scripting skills with Bash, Ruby, Python or Perl
- Experience in system administration and support
- Excellent leadership skills and teamwork skills
- Results oriented, high energy, self-motivated
- Experience integrating security code analysis tools in the SDLC
- Experience with binary reverse-engineering using tools such as IDA Pro, radare2, OllyDbg, and hex editors
- Experience working with teams in multiple geographical locations
- Published Security advisories, vulnerability research and bug bounties
- Speaking / publishing at security conferences
- Publicly released tools or modules
- Get your very own GoPro camera + gear
- Medical, dental, and vision insurance – premiums are 100% paid for employees, 80% paid for dependents
- Life insurance and disability benefits
- Generous time off policy
- 12 weeks paid parental leave for new parents
- Pre-tax and Roth 401(k) options
- Discounted employee stock purchase plan (ESPP)
- LiveHealthy monthly wellness reimbursement
- Innovative remote-friendly wellness classes and events
- Flexible work arrangements
- Opportunities to get involved in the causes that you care about (annual camera donation + volunteer events)
We strive for the day that no group can be described as underrepresented at GoPro – whether as part of our brand or in our workforce. We are committed to providing a more inclusive, representative, equal, just and happy world. GoPro is proud to be an Equal Opportunity Employer.
GoPro requires that all onsite visitors and workers be fully vaccinated for COVID-19. Roles that are designated as remote do not require vaccination to perform the role but will not be permitted to visit GoPro’s office locations if unvaccinated. An exception to this rule may be made if you qualify for an approved accommodation.
The ranges added below are for Colorado-based hires only and will be dependent on candidate experience. Pay ranges for candidates in other locations other than CO may differ. Pay range: $111,775-$131,500.