Our mission: To be Earth's most customer-centric company.
Come join our offensive security team dedicated to the detection and exploitation of vulnerabilities affecting Amazon consumer devices. This includes performing low-level reviews of hardware, bootloaders, radios, secure enclaves, or OS security features of devices, service reviews including authentication mechanisms, AI, mobile, & web apps. Engineers are also encouraged to experiment with automated techniques, such as symbolic execution, fuzzing, machine learning, or static analysis.
Amazon Devices (Lab126) is an inventive research and development company that designs and engineers high-profile consumer electronics. Lab126 began in 2004 as a subsidiary of Amazon.com (http://amazon.com/), Inc., originally creating the best-selling Kindle family of products. Since then, we have produced groundbreaking devices like Amazon Echo, Astro, Kuiper, Ring Always Home Cam Drone, Fire tablets, and Fire TV. What will you help us create?
Are you interested in being part of a top-notch security team covering all Amazon consumer devices (including hardware and low-level functionality) as well as key Amazon services supporting our devices (such as Computer Vision, Alexa, Kindle, etc.)? Do you want to be part of an offensive security team dedicated to detection and exploitation of vulnerabilities prior to launch in order to keep Amazon consumer devices and services safe? Your work directly impacts the way our customers, teams, and business across the globe get things done. If you want to keep customers safe, then we have a job for you! You can learn more about security at Lab 126 here: https://www.youtube.com/watch?v=k0UTTxzeGog.
In this role, you will be part of a dedicated team of talented security engineers performing penetration testing exercises to identify vulnerabilities. You will strive to understand systems, software, and services deeply and develop creative ways to break assumptions in order to find vulnerabilities. You care deeply about keeping Amazon customers safe and therefore are passionate about mitigating vulnerabilities/risks by providing actionable guidance to product teams and drive long term security improvements. You’re well-known for your excellent prioritization skills as well as your ability to communicate at all levels of an organization. If you’re passionate about finding security bugs, writing tools to reduce manual testing, and enjoy seeing your work’s impact across Amazon consumer products and services, then this position is for you. Candidates from entry to senior level will all be considered.
Key job responsibilities
- Perform penetration testing exercises across all products, services, and software released by Amazon Lab126 and develop proof of concept exploits.
- Perform vulnerability research using variety of custom tooling and technologies (e.g. symbolic execution, static analyzers, fuzzers, scanners, machine learning, etc).
- Create tools for the discovery of vulnerabilities as well as scale security testing.
- Review technical solutions to provide guidance to help mitigate security vulnerabilities as well as provide actionable long-term risk mitigation guidance to drive security improvements.
- Develop detailed technical documentation describing identified vulnerabilities, associated impact as well as recommendations for guidance for communication with internal engineering stakeholders as well as leadership.
A day in the life
- Perform pentests on yet-to-be-released devices or software ensuring it meets security requirements
- Perform code review of a driver for a new device being launched to our customers
- Write proof-of-concept code to demonstrate the impact of a security issue
- Ensure high security of vendor-provided hardware (such as whether there are security flaws in its boot process, etc.)
- Verify the code fixes made to address security issues
- Develop scripts or tools to automate assessments of targets
- Conduct independent vulnerability research on launched products or dependencies
About the team
Within the Devices and Services Security organization, the internal penetration testing team is responsible for product implementation reviews: penetration testing, fuzzing and vulnerability research. The internal penetration testing team is part of the Devices and Services Security organization, which is responsible for the entire SDLC, vulnerability management, incident response, and overall security across Amazon Consumer Devices (Kindle, Ring, FireOS, Kuiper, Alexa, eero and more).
By applying to this position your application will be considered for all locations we hire for in Europe, including but not limited to: Germany, France, Italy, Spain, Poland, Netherland or U.K.
Our team puts a high value on work-life balance. Striking a healthy balance between your personal and professional life is crucial to your happiness and success here, which is why we aren’t focused on how many hours you spend at work or online. Instead, we’re happy to offer a flexible schedule so you can have a more productive and well-balanced lifeboth in and outside of work.
Our team is dedicated to supporting new members. We have a broad mix of experience levels and tenures, and we’re building an environment that celebrates knowledge sharing and mentorship. We care about your career growth and strive to assign projects based on what will help each team member develop into a better-rounded engineer and enable them to take on more complex tasks in the future.
- A Bachelor’s degree in Computer Science, Cybersecurity, Computer Engineering, or equivalent professional experience can be used in lieu of a degree.
- Minimum of 3 years of experience in source code auditing, bug hunting or CTF experience.
- Minimum of 3 years of professional experience with security engineering practices such as in web application security, network security, authentication and authorization protocols, cryptography, automation and other software security disciplines.
Any of the following are preferred but not required to be considered for this role:
- Master’s degree in Computer Science, Computer Engineering, Electrical Engineering or equivalent
- 2 year of development experience in C, C++, assembly (x86, x86-64, ARM) and/or Java
- Experience in embedded/IoT device security or web services security specifically, with experience of performing software security audits, vulnerability discovery and analysis.
- Experience with common software security vulnerabilities and methods of exploitation, such as memory corruption, privilege escalation, web application exploitation, file format vulnerabilities, protocol-based weaknesses, etc.
- Experience with static and dynamic tools for vulnerability detection and exploit mitigation techniques
- Product security incident response in mobile, IoT or cloud services verticals
- Experience with extracting firmware, reverse engineering a variety of hardware and software, including firmware, operating systems, and applications, binary analysis and proof of concept exploit development
- Knowledge of common wireless connectivity protocols with focus on protocol and implementation security vulnerabilities (e.g. Bluetooth, WiFi, 802.15.4)
- Knowledge of hardware security mechanisms, including secure boot, trusted execution environments
- Meets/exceeds Amazon’s leadership principles requirements for this role
Amazon is an equal opportunities employer. We believe passionately that employing a diverse workforce is central to our success. We make recruiting decisions based on your experience and skills. We value your passion to discover, invent, simplify and build. Protecting your privacy and the security of your data is a longstanding top priority for Amazon. Please consult our Privacy Notice (https://www.amazon.jobs/en/privacy_page) to know more about how we collect, use and transfer the personal data of our candidates.