Windows - Senior Application Security Engineer
CENSUS SA
- Ελλάδα
- Μόνιμη
- Πλήρης Απασχόληση
- Reviewing product security designs, documenting missing security controls, and driving analysis for security improvements.
- Executing and reviewing threat modelling, attack surface enumeration and attack tree creation activities for products running on cloud platforms.
- Researching, reviewing, comparing, and proposing technologies that can satisfy the client's established requirements, and aligning with their strategies.
- Executing end-to-end security posture assessments for mobile, web and special purpose applications, with a focus on applications deployed on Windows platforms, via source code auditing, functional testing, fuzz testing and other applicable methodologies.
- Verifying if output implementation is aligned with the products' security architecture, requirements, and threat model.
- Documenting and presenting product security risks in both technical- and business-oriented language.
- Support a small team (2-3) of security engineers and/or consultants, to successfully assess and research bleeding edge technologies and products.
- MSc or BSc. in Electrical Engineering, Computer Science, Computer Engineering, or equivalent practical experience.
- 4+ years of experience in application security related role(s) on Windows based technologies. Experience can be an engineering / development position (e.g., consumer or enterprise), an assessment / consultancy role, an equivalent role in other engineering organizations, or a combination of them.
- Proven experience in developing or assessing security features for Windows Native, WebView2 or Hybrid applications and system services.
- Proficient in English and excellent communication skills.
- Excellent knowledge of Windows system internals and security features, including local authentication mechanisms, platform services and subsystems (Networking Services, Windows Security Subsystem, etc.).
- Experience with performing design-level security reviews and verifying that output implementation is aligned with the design and input threat models.
- Experience in reading & comprehending source code, discerning business logic pitfalls, and identifying security flaws on Windows-based SW developed with:
- Commonly used Windows development languages, such as C/C++, C#/.NET languages, and scripting languages such as Powershell.
- Commonly used Windows APIs, such as Win32, Windows Networking/Socks, Windows Security (Windows Credential Manager, Windows Cryptography, Security Support Provider Interface, etc.)
- Experience with applied cryptography and cryptographic protocols, such as authenticated encryption, mTLS, Key Exchange / Agreement, Key Derivation, Key Wrapping and Remote Key Attestation.
- Experience in identifying and reporting security vulnerabilities that impact endpoint and client/server applications (data protection, IPC ACL, transport layer protections, insecure configurations, secrets management, etc.).
- Problem solving skills, analytical thinking, and willingness to learn/grow.
- Familiarity with debugging, instrumenting, and profiling software running on different runtimes, e.g., native, .NET, Node.js.
- Familiarity with Active Directory, on-prem or cloud (Entra ID), services and their integration on product solutions.
- Familiarity with the integration of hardware secure elements, hardware keys or TPM, to potentially enhance the security of Windows applications and systems.
- Familiarity with application reverse engineering or fuzz testing methods.
- Experience of working with international teams in other regions and time zones worldwide.