Offensive Security Engineer

Responsible for advanced security testing of Oracle applications and services (primarily SaaS-related) including but not limited to covert red team operations, security research and white box penetration testing, exploit development, and black box penetration testing.

This team is responsible for ensuring the protection of Oracle's SaaS applications and services.
 

Oracle SaaS (a.k.a. Oracle Cloud applications), built on machine learning, offers the most complete application suite with the best technology, enabling fast innovation with a modern UX and customer-first approach and one of the top strategic cloud services for Oracle. 

The SCS organization is responsible for securing enterprise-grade software services on behalf of our 25,000 customers, processing over 60 billion transactions per day.  You will have the opportunity to work in a cloud-scale environment using the latest security technologies/tools and collaborate with the best minds in the industry, to collectively stay ahead of and respond to increasing threats to cloud services. And you will actively engage in conducting proactive security research and white box penetration testing, including the development of working proof of concept exploits; reactive security research based on industry trends as well as security incidents related to Oracle; covert red team operations; black box penetration tests; and other types of work involving collaboration with various security and engineering teams within Oracle SaaS.

About you:
Successful applicants will possess the knowledge necessary to conduct ethical hacking activities on: 

• SaaS applications
• SaaS host and network environments
• Web applications
• APIs
• Java-based technologies
• Databases
• AI/ML technologies
• Internally facing tools
• More…
   

The team that is hiring will have members who may possess different sets of advanced offensive security skills.  Some of the advanced skills needed include:

• Red team custom implant development primarily in a Linux environment (non-Linux OS environments also present but less numerous)
• Red team campaign execution
• Red team infrastructure support (i.e., Terraform, Ansible, cloud products, etc.)
• Security research and code review
• Proof of concept exploit/malware development

Minimum Qualifications:
 

• 5+ years of experience in offensive security, with at least 3 years of recent experience with red team operations or security research
• BS in Computer Science, or equivalent experience
• Deep familiarity with Linux and attack tooling is required
• Ability to work in a collaborative, cross-functional team environment
• In depth knowledge of security vulnerabilities including a detailed understanding of the OWASP top 10, secure design and secure coding principles
• Ability to prioritize and handle concurrent assignments or projects
• Excellent team player, willing to share knowledge and skills with peers and team members
• Strong presentation, written and verbal communication skills
• Experience with security testing tools including static analysis, web application testing, infrastructure and network testing, and manual security testing required
   

Preferred Qualifications:

• Proficient in multiple programming and scripting languages including any of the following: Java, C#, C, Go, Rust, Scala, Ruby, Python, Bash/sh, Powershell, JavaScript, or other object-oriented languages
• Experience leading red team campaigns from start to finish with high success rate and low detection rate
• Experience in building covert command and control (C2) implants designed to evade host-based and network-based detection capabilities
• Proven ability (i.e., published CVEs, etc.) to discover and exploit complex security vulnerabilities and vulnerability chains to achieve remote code execution (RCE)
• Experience with AI red teaming or penetration testing
• Advanced security certifications relevant to white box penetration testing and red team operations such as: OSCP, OSCE, OSWE, OSEP, OSED, OSEE, OSCE3, CRTP, CRTE, CRTM, GXPN

Oracle is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, sexual orientation, gender identity, disability and protected veterans status or any other characteristic protected by law.

Career Level - IC4