Skip to main content
Uber CareersUber Careers

Security Engineer - Vulnerability Discovery

Engineering Security, Safety, Security & Insurance
in Seattle, Washington

About the Role:

We are seeking a talented Sr. Security Engineer to join our Vulnerability Discovery team in Seattle, WA. The new member of our team will focus on scaling the traditional AppSec model of finding vulnerabilities manually to a fully automated and autonomous system. To that end, our new teammate will be tasked with designing, implementing and deploying security automation and services capable of identifying security vulnerabilities such as XSS, SQLi, CSRF, SSRF, etc. in our mobile, web and infrastructure-related apps and services. The nUber will also lead medium- to large-scale security projects, be responsible for creating long-term project roadmaps, prioritizing project objectives, as well as executing on those objectives and roadmaps in well-defined timelines.

About the Team:

We are a team of superstar engineers who lead the principled vulnerability discovery initiative at Uber. We ensure that all code at Uber adheres to company-wide security standards and is devoid of known security vulnerabilities.

To that end, we build and deploy top-notch taint tracking systems leveraging control-flow and data-flow analysis techniques to scan and report new security findings in over 5,000 services.

In addition, we crowdsource security intelligence via our Bug Bounty program, red team exercises, as well as manual and automated security audits.

Finally, we leverage research-quality CFG and DFG principles to codify the latest security breakthroughs into custom queries, which we then deploy across our fleet of advanced security scanners. As a result, we expand the ROI of our manual labor. Our constantly increasing corpus of security queries enables us to perform automated, systematic and comprehensive security analysis across all of Uber's applications and services.

What You'll Do:

  • design, build and deploy automation leveraging manually discovered security findings to scale vulnerability discovery efforts across more than 5,000 services
  • identify security-sensitive functionality in apps and services lacking security coverage and build out automation to bring security awareness into the affected areas
  • identify novel attacks and security weaknesses in company owned assets and automate their discovery leveraging state-of-the-art control-flow and data-flow analysis techniques, methods and tools
  • identify gaps in apps, services and infrastructure lacking proper security scans, build out and execute on a project roadmap to ensure 100% coverage across all assets and asset groups.
  • perform threat modeling, design and code reviews to assess security implications and requirements for the introduction of new systems and technologies
  • provide security guidance to application and service owners to remediate security vulnerabilities
  • mentor junior security engineers

Who You Are:

You are a strong teammate, collaborator, and mentor. You are an experienced Security Engineer with passion to have a global impact. You enjoy working on complex problems, finding security vulnerabilities in production apps and services, and scaling their discovery via automation. You have a proven track record delivering results in tight deadlines, mentoring junior members, and helping them grow personally and professionally.

What You'll Need:

  • proven track record demonstrating impact across several teams, organizations and/or security areas
  • expertise in at least one security domain (e.g., web security, reverse engineering, etc.)
  • programming skills in at least one of: Go, Java, Python, NodeJS, etc.
  • ability to see the big picture, build out concise, comprehensive, yet realistic project plans
  • ability to execute on well-defined project plans
  • ability to communicate ideas and proposals concisely

Bonus Points if You Have:

  • experience designing, implementing and deploying large distributed systems
  • prior vulnerability management experience
  • expertise in multiple security domains or crypto systems

A Note From the Hiring Manager:

Traditional software development entailed designing, building and deploying systems on a predetermined dev/release cycle. Within that context, AppSec often operated in a strictly manual mode: security engineers dug through codebases, or directly pentested staging services in an effort to discover and fix vulnerabilities before they made their way to production apps and services.

The modern-day software development lifecycle demands continuous development, integration and deployment (CI/CD). Microservices-oriented architectures further complicate the control-flow and data-flow analyses, as data passes through dozens -- sometimes hundreds -- of services on its route from the user (source) to internal data stores (sinks), or vice versa. In this setting, point-in-time, manual code analysis of bespoke assets yields a limited view of their overall security exposure. Henceforth, AppSec should find new ways to scale its operations.

Here at Uber we have a highly skilled set of security engineers working on deploying top-notch taint tracking services to help us 10X the ROI across all manual code analyses, pentesting exercises, and bug bounty program operation we do. As a result, our advanced code-analysis services help us leverage research-quality control-flow and data-flow analysis techniques to continuously produce high-fidelity security findings at scale. The time we save due to automation, we then reinvest in performing tactical pentests and code audits, as well as designing, building and deploying innovative security solutions.

Sounds interesting? Join our team and help us set the bar for modern-day AppSec!

At Uber, we ignite opportunity by setting the world in motion. Our massive, efficient, and intelligent network consists of tens of millions of drivers, consumers, restaurants, shippers, carriers, and dockless e-bikes and e-scooters, as well as underlying data, technology, and shared infrastructure. We operate in over 700 cities around the world. Our apps and services power movement at the touch of a button.

We welcome people from all backgrounds who seek the opportunity to help build a future where everyone and everything can move independently. If you have the curiosity, passion, and collaborative spirit, work with us, and let's move the world forward, together.