Red Team Engineer
Veeva Systems is a mission-driven organization and pioneer in industry cloud, helping life sciences companies bring therapies to patients faster. As one of the fastest-growing SaaS companies in history, we surpassed $2B in revenue in our last fiscal year with extensive growth potential ahead.At the heart of Veeva are our values: Do the Right Thing, Customer Success, Employee Success, and Speed. We're not just any public company – we made history in 2021 by becoming a public benefit corporation (PBC), legally bound to balancing the interests of customers, employees, society, and investors.As a Work Anywhere company, we support your flexibility to work from home or in the office, so you can thrive in your ideal environment.Join us in transforming the life sciences industry, committed to making a positive impact on its customers, employees, and communities.The RoleVeeva’s Offensive Security Team is seeking a Red Team engineer to help keep Veeva secure and safe from attackers. Our team in Columbus is growing, and we want you to join us! This role has a broad scope, ranging from attacking Veeva’s AWS services, infrastructure, processes, and products. Discovering weaknesses in Veeva’s architecture, working with product and platform teams, and performing penetration tests on new products are just part of the job. You’ll also be working with third-party testers and researchers to sharpen our detective and preventative capabilities. This role presents an ultimate test of one’s security knowledge and ability, along with the support of a team of highly skilled individuals.
What You'll Do
- A Red Team Security Engineer at Veeva is expected to be strong in offensive security domains, testing, techniques, and practices
- Engineers in this role work closely with application product teams throughout Veeva
- Security engineers will provide technical leadership and advice to developers, engineers, and third-party consultants
- As a Red Team Engineer, you must show exemplary judgment in making informed technical trade-offs of testing, short-term fixes, long-term security gains, and product team development
- You must also demonstrate resilience and navigate difficult situations with composure and tact
- Above all else, a strong sense of customer obsession is necessary to focus on the ultimate goal of keeping Veeva and its customers secure
- Participate in Red Team engagements throughout
- Conduct full-cycle engagements with development teams independently, or as part of a team
- Perform manual examination of Veeva systems, websites, and networks to discover weaknesses
- Thoroughly document exploits, attack chains, and proof of concept scenarios for technical reviews
- Communicate findings and discoveries to prioritize and execute remediation plans
- Coordinate findings and remediation from third-party penetration testers
- Maintain AWS VPC and related testing systems for our internal and third-party testing programs
- Conduct red team, purple team exercises and coordinate tabletop exercises
- Penetration tests of new products, features, and technologies
- Review Veeva product release notes and select new features to test throughout the year
Requirements
- BS in Computer Science or related field, or equivalent work experience
- 2+ years in an Information Security role, preferably in red teaming, offensive security, penetration testing, reverse engineering, or application security
- Advanced knowledge and understanding in various disciplines such as security engineering, system and network security, authentication and security protocols, cryptography, and application security
- Experience with interpreted or compiled languages: Python, PHP, C/C++, Java, C#
- Experience with cloud service providers and their offerings, preferably AWS and its various technologies and APIs
- Mobile testing on Windows, OSX, iOS, and Android
- Experience with various testing tools, such as Burp Suite, Netspaker, Kali Linux, Metasploit, Nmap, Nessus, etc.
- Familiar with offensive TTPs (Tactics, Techniques, and Procedures) including post-exploitation and lateral movement
- Experience with Redhat, AWS Linux, AWS Linux 2, Windows Server 2012, 2016 and 2019
- Understanding of one or more standards: OSWAP Top 10, SANS Top 20, NIST 800-53, CIS, CSC, or other security standards
Nice to Have
- Industry penetration certifications such as OSCP, GPEN, GXPN, GWAPT, etc.
- Industry security certifications such as CISSP, CEH, or others
- Experience in conducting social engineering-focused assessments
- Experience in CTF competitions, CVE research, and/or Bug Bounty recognition
- Knowledge of the MITRE ATT&CK Framework
- Experience in Web and Mobile (Android/iOS) based application/service assessment
- Experience in Wireless and Network assessment in enterprise infrastructure
- Experience in reverse engineering and associated tooling such as IDA
- Experience in Advanced Persistent Threat exploits
- Experience with Web Application Firewalls (WAF), IDS/IPS, or other security platforms
- Knowledge of fuzzing, memory corruption and exploit development
- Knowledge about hardware hacking