Job Description

The Elevator Pitch: Why will you enjoy this new opportunity?

The world is changing fast, and the security engineering space is changing even faster! Corporations,
governments, schools, hospitals are in desperate need for digital
transformation at a rapid space. VMware is driving this transformation for 350,000 customers (which includes
98% of Fortune 500). You won’t find another company that offers the
breadth of innovative technology. Now imagine the opportunity to work on securing the products and services
which VMware creates on cutting edge technologies. You would be
exposed to the broad technology stack which you can break / hack into and help secure. This opportunity
provides an endless possibility to learn, grow and flourish as a product
security engineer.
This product security engineer role is part of the S.C.O.P.E organization, which expands to Security,
Compliance, and Privacy Engineering. This organization is responsible for the
complete security state of all the Products and SaaS offerings from VMware. This includes product security
(Blue team/Red team), compliance (FIPS/Common Criteria/etc.),
response (externally reported issues/bug bounty/etc.) and data privacy.
As part of this role in product security, you will be responsible for identifying security design flaws and
vulnerabilities, and offering potential remediation recommendations. Also,
you will have the opportunity to collaborate with, but not limited to, security architects, development teams
across VMware, and other security engineers in the team, who work on
various areas such as, virtualization, software-defined networking, cloud security, and Kubernetes.
If you have the drive to work on securing the next big thing, we would love to talk!

Success in the Role: What are the performance outcomes over the first 6-12 months you will work toward
completing?

The following is a schedule for the first year of joining:

• Within 1 month of employment, become competent with VMware’s rules, guidelines and standard operating
procedures.
• Within 3 months of employment, learn the product/SaaS offering which you will help secure, the technology
stack which they use, become familiar with the attack vectors
in the related domain, and get accustomed to the code base, recent externally reported vulnerabilities, release
cycles etc.
• Within 6 months of employment, work towards becoming competent in handling secure design reviews,
threat model activities, scoping penetration testing and perform
security testing of products/SaaS.
• Within 1 year of employment, work towards becoming competent in handling multiple products and SaaS
offerings, along with automating security test cases.

The Work: What type of work will you be doing? What assignments, requirements, or skills will you be
performing on a regular
basis?

As a product security engineer, you will:

• Work on feature level security assessment
• Work on product / SaaS offering / Solution level secure design reviews and threat modelling
• Scope for penetration tests
• Perform penetration testing at product / SaaS offering / Solution level
• Perform manual secure code reviews
• Identify security vulnerabilities and control gaps
• Provide actionable and practical mitigations to address security vulnerabilities by working closely with the
development teams
• Generate penetration test report
• Analyze externally reported vulnerabilities
• Automate repeatable security tests
Basic qualifications:
Experience required 2 - 8 years
• Penetration testing skills in Web, System, Container, Mobile, Network, and Cloud based technologies
• Familiarity with SAST and DAST tools
• Manual secure code review (not limiting to): Java, C/C++, C#, JavaScript, Go, Python
• Experience with coding/scripting in one or more of the following (not limiting to): Python, Ruby
• Vulnerability assessment
Preferred qualifications:
• Secure design reviews and threat modelling
• CTF experience
• Public track record of security research like, CVEs, bug bounty recognition, conference presentation
• Security automation like, (not limited to) Burp suite automation, familiarity with Frida
• Opensource vulnerability assessment
• Programming experience in one or more of the following (not limiting to): Java, C/C++, C#, JavaScript
• Security certifications
• Bachelor’s degree in a technical discipline
• Good verbal and written communication skills

What is the leadership like for this role? What is the structure and culture of the team like?

S.C.O.P.E is headed by Ashok Banerjee, who is the Vice President based out of U.S. vSECR, which is widely
known, is part of this organization. The leadership of S.C.O.P.E
reporting to Ashok is based out of India, U.S, and Ireland. As part of this role, you will be joining the India
team, which is headed by Madhusudan H.N in Bangalore, India. The
leadership encourages independent thinking and gives a free hand to innovate.
The team is distributed across the globe, in India, U.S, and Europe. We have a diverse, inclusive and open
culture in the team. We encourage continuous learning, sharing of ideas
and thoughts, and growing together as a team. The team consists of majorly security engineers with experience
ranging from less than a year to more than 10 years. We also have a
good presence of technical product managers, full stack developers, and security architects. The team is built
on trust and empathy, and we celebrate each other’s successes.