Senior Security Engineer
Job Description
Summary
Imagine what you could do here. At Apple, new ideas have a way of becoming great products, services, and customer experiences very quickly. Bring passion and dedication to your job and there's no telling what you could accomplish.
The Apple Information Security (AIS) team is responsible for developing services to find and mitigate security risks faced by Apple. We are seeking an extraordinary Software Developer who is passionate about security, and can thrive in a fast- paced environment where both individual drive and team collaboration are the keys to success. As part of the AIS team, you'll be at the forefront of developing cutting-edge services to identify and mitigate security risks. This isn't just any technical role — it's an opportunity to make a significant impact on the global security landscape. You will perform hands-on work to identify issues, create a vision for resolving them, and collaborate with relevant business stakeholders to realize that vision.
The Apple Information Security (AIS) team is responsible for developing services to find and mitigate security risks faced by Apple. We are seeking an extraordinary Software Developer who is passionate about security, and can thrive in a fast- paced environment where both individual drive and team collaboration are the keys to success. As part of the AIS team, you'll be at the forefront of developing cutting-edge services to identify and mitigate security risks. This isn't just any technical role — it's an opportunity to make a significant impact on the global security landscape. You will perform hands-on work to identify issues, create a vision for resolving them, and collaborate with relevant business stakeholders to realize that vision.
Description
In this role you will conduct application security assessments, threat modeling, and penetration testing modeled after real world attackers. You will also develop tooling to automate security testing and mitigate security threats.
Our scope spans across Apple and includes customer facing and internal corporate applications. Our team is primarily responsible for supporting highly critical foundational infrastructure and security services. We work multi-functionally with teams Apple wide providing security consulting services and driving new security initiatives. Our hardworking team of security professionals is a key to our success.
Within this role you can expect to
* Conduct security architecture review of the full stack including applications built on cloud and new technologies.
* Conduct manual application security testing and source code auditing for a variety of technologies. Provide clear and detailed risk assessment and remediation guidelines for developers and business owners.
* Conduct penetration testing targeting critical Apple data, services, and environments. Report underlying security issues and propose enhanced security protections.
* Security research on the latest standard methodologies, trends, threats, vulnerabilities, and technology frameworks
* Detailing and disseminating security guidelines for common security issues, remediation guidance, and security technology baselines
* Develop tools, exploits, and products to support application security review and/or penetration testing
* Research and develop tools to improve static analysis framework capabilities (e.g. accuracy, coverage, and efficiency of detections)
Our scope spans across Apple and includes customer facing and internal corporate applications. Our team is primarily responsible for supporting highly critical foundational infrastructure and security services. We work multi-functionally with teams Apple wide providing security consulting services and driving new security initiatives. Our hardworking team of security professionals is a key to our success.
Within this role you can expect to
* Conduct security architecture review of the full stack including applications built on cloud and new technologies.
* Conduct manual application security testing and source code auditing for a variety of technologies. Provide clear and detailed risk assessment and remediation guidelines for developers and business owners.
* Conduct penetration testing targeting critical Apple data, services, and environments. Report underlying security issues and propose enhanced security protections.
* Security research on the latest standard methodologies, trends, threats, vulnerabilities, and technology frameworks
* Detailing and disseminating security guidelines for common security issues, remediation guidance, and security technology baselines
* Develop tools, exploits, and products to support application security review and/or penetration testing
* Research and develop tools to improve static analysis framework capabilities (e.g. accuracy, coverage, and efficiency of detections)
Minimum Qualifications
- Experience with Rust and/or Go. Familiarity with C/C++, Swift, Objective-C, or Scala is a plus.
- Extensive experience manually testing web applications and/or enterprise penetration testing
- Extensive experience with a scripting language (e.g. python, PHP, ruby) and a programming language (e.g. Java, Swift, C)
- Proficiency in some form of UNIX
- You have the ability to explain basic networking concepts (routing, ACL, load balancers,
- SSL/TLS, TCP) in order to provide application architecture feedback
- You have a background in web application development and/or code auditing
- You have strong verbal and written interpersonal skills
- You have a real passion for discovering and researching new vulnerabilities and exploitation techniques
- You are deeply accountable for your work
- You are upbeat, adaptable, and results oriented with a positive attitude
- BS in Computer Engineering with specialization in Information Security or 4+ years of equivalent, hands-on information security experience in a large enterprise environments a plus.
Preferred Qualifications
- Experience with offensive and automation tool development
- Experience with vulnerability scanning tools: network, SAST, and DAST
- Familiarity with testing services that employ AI/LLM and the OWASP Top 10 for LLMs
- Experience leveraging AI/LLMs for security testing and automation
- Experience with with one or more public cloud services (e.g. AWS, GCP, AliCloud)
- Experience with Kubernetes and container security
- Experience with common authentication protocols (e.g. SAML, OIDC)
- Experience using and releasing open source software in corporate environments, with knowledge of licensing and legal review processes.