Penetration Testing Engineers UK

The EMEA Penetration Testing Team is looking to hire a Penetration Testing Engineer to join our rapidly expanding team.

Description of the Role

This is not a traditional Penetration Testing role. We don’t operate like a consultancy in the sense of moving from client to client and test to test. We are an integral part of the AWS AppSec team. Our customer is the wider Amazon business.

We go significantly beyond most penetration testing approaches.

All new services and applications must go through the security review process at AWS. This starts with architectural and design reviews as well as static analysis of the code. Following this and before an application or service goes into production it comes through the PenTest team.

We take an open book and source audit focused approach to most testing projects. We dive deep to identify vulnerabilities that static analysis and automated tooling won’t find. Where relevant we write proof of concept (PoC) code to demonstrate the impact of the issue.

Meet our Builders

Our team is responsible for manual assessment of all products, features, services and software released by AWS. We specialize in diving deep to find security issues that static analysis tools and traditional testing approach can’t.

Our Penetration Testing Engineers are experts in their field. They are able to influence management practices and help shape the direction of AWS application security. This role is perfect for someone with both breadth and depth of technical ability who wants to be part of solving problems at scale.

This is a hands-on technical role that includes mentoring, guiding, and support of the whole team. In addition to developing better engineers, this role will help make changes to the way we work, advising on process and procedure to make the team better. That could be by developing tools, advising management, owning programs, or something else entirely. We want smart, creative engineers who want to contribute to the entire team.

Responsibilities
  • Deliver manual penetration testing and source code review engagements against a variety AWS products and features ranging from web services, web apps, APIs to other software
  • Help support and develop other engineers
  • Own projects
  • Write automation to help scale security testing at AWS
  • Provide actionable long-term risk mitigation guidance
  • Conduct vulnerability research against AWS
  • Write proof of concept code to demonstrate the severity of a security issues
  • Provide clear communication on the issue to developers whilst supporting their remediation processes and validating their fixes
  • Partner with AWS developers to drive improvement in application security as a result of security review engagements

On this team you will be reading and manually reviewing source code in Java, Ruby, Python, JavaScript, Rust, C, and other languages to look for security bugs and aid in the demonstration and exploitation of vulnerabilities. Whilst we don’t expect you to be an expert in all languages, you should be able to read and understand code, learn and be curious.

On this team you’ll be writing proof of concepts (PoCs) to demonstrate the impact of issues. This is not a software development engineering nor is it a traditional Penetration Test position. You won’t be socially engineering or writing enterprise-grade software, you will be diving deep into some of the latest AWS products and features and be able to script your way out of a problem.

If you're passionate about finding security vulnerabilities, writing tools to enable more focus on manual testing, supporting and developing others and enjoy seeing your enhance the security posture of a target then we’d like you to help us solve some interesting and complex problems.

Apply

Frequently Asked Questions

 Q. What’s it like to be a Penetration Tester at AWS?

A. This is not a traditional Penetration Testing role. We don’t operate like a consultancy in the sense of moving from client to client and test to test. We are an integral part of the AWS AppSec team. Our customer is the wider Amazon business.

We go significantly beyond most penetration testing approaches.

Q. How does the Pen Test Process work at AWS?

A. All new services and applications must go through the security review process at AWS. This starts with architectural and design reviews as well as static analysis of the code. Following this and before an application or service goes into production it comes through the PenTest team.

We take an open book and source audit focused approach to most testing projects. We dive deep to identify vulnerabilities that static analysis and automated tooling won’t find. Where relevant we write proof of concept (PoC) code to demonstrate the impact of the issue.

Q. I don’t have code auditing experience, is this role right for me?

A. Yes.

We raise the performance bar with every hire, so whilst code auditing is a key part of many projects, we are always looking for pen test skills across all disciplines, especially the more specialist areas.

Q. What is the opportunity?

A. Our EMEA Pen Test team is growing, rapidly. They perform penetration tests across AWS products, services and software.

In this role, you would:

  • Dive deep into our systems, software and services
  • Write automation that scales AWS security testing globally
  • Use AWS tech to conduct vulnerability research across the platform

This is a permanent role. We are mainly looking for technical leaders, who want to have a significant impact in the security space across AWS globally.

Q. What is the interview process?

A. The interview process will be virtual, this will include

  • 1-hour phone Interview
  • Final Virtual Interview via Amazon Chime comprising of both Technical and Competency Interviews (here’s a great article about Interviewing at Amazon)

Q. Is there a remote option?

A. Yes. If you are based within the EU, we would be open to offering a remote option.

Q. What is the Salary range?

A. For now, we cannot give a definitive figure on salary, as that will be determined by your experience and strength of interview if all goes well. We offer a competitive package which will include additional benefits to be discussed at offer stage.

Q. What is the first step?

A. Please send your CV via LinkedIn conversation or email to rubymur@amazon.com

Q. I have a friend that might be interested; can I share your contact details?

A. Of course! Please feel free to share this document along with my email address rubymur@amazon.com

Interviewing at AWS

Phone Screen

The first stage of the process is a phone screenWe will assess functional aspects of the role via technical questions as well previous demonstration of Amazon's Leadership Principles via behavioural questions. The interview will be with an AWS Lead Engineer or Manager and will last for 60 minutes.

Manual code review and scripting is a large part of this role. Therefore, please have a computer available to you at the time of your interview, as there may be a live challenge. This is not a ‘pass’ or ‘fail’ activity – it’s to understand how you approach the problem and potential solution.

The following technical skills could also be assessed:

  • Web Application Penetration Testing (inc API and Web Service Testing)
  • Code Review (we may ask you to find vulnerabilities in code)
  • Your approach and methodology to Penetration Testing
  • Previous sanitised examples of security issues you found and exploited
  • General Cybersecurity
  • Cloud Security
  • Cryptography
  • Threat Modelling and Secure Design

Leadership Principles

We strongly recommend you spend some time on understanding our Leadership Principles. They will give you great insight into what to expect when you join Amazon.  Each interviewer you will meet with will be tasked with assessing you on these. The Amazon bar is quite high, and we can’t stress enough that you need to give really thorough, in-depth answers during your interviews.

We also recommend having various data points and specific metrics to demonstrate your success to back up each of your answers around leadership principles, as Amazon loves data!! In terms of tech, they will cover topics such as; Pen Testing (Web App/Web Service), Scripting, Code and Threat Modelling.

City Guide

Join the Talent Pool
  • Do you enjoy Penetration Testing software and services?
  • Do you strive to understand systems, software, and services deeply in order to compromise them?
  • Do you find yourself automating away your work every chance you get? Are you keen to learn new things and test some of the very latest technologies and AWS products?
  • Are you a technical leader who enjoys supporting and developing others?
  • Would you like to a change from consulting world of Penetration Testing and to join a team that's driving security innovation and improvement at AWS?

If the answer to any of these is yes, we'd love to speak to you.

By joining the Talent Pool, your CV and info will go directly to our recruiting team.

Previous Article
Systems Development Engineering, Dublin
Systems Development Engineering, Dublin

Next Article
AWS Global Financial Services
AWS Global Financial Services