Senior Software Engineer - Payments
San Diego, CA
As a primary member of SIE's Global Vulnerability Management (GVM) team, you will be responsible for contributing to the improvement of a sophisticated global vulnerability identification and remediation program in a growing, fast-paced and complicated environment. The role will entail operational and project-based work across SIE Security, IT and DevOps teams, as well as global business units in SIE and Sony operating companies. GVM's mission is to provide vulnerability identification, research and analysis, and security validation for SIE organizations to deliver effective management and prevention of security risks.
• Serve as a Senior Security Vulnerability Research Engineer to identify threats and vulnerabilities, conduct research and analysis and validate issues to provide measurable reports and information with focus on usability and relevancy to the Systems Operations and Service teams.
• Utilize security, networking, and automation tools to enable early identification of threats which will provide situational awareness, improved decision-making, and timely threat mitigating actions.
• Facilitate various projects involving vulnerability scanning, patch management, and configuration management across Global SIE teams.
• Lead work efforts related to vulnerability scanning deployment and operations.
• Research and analyze findings to eliminate false positives, provide mitigation techniques, and to significantly reduce time-to-remediation.
• Determine and publish remediation prioritization based on research, threat intelligence data as well as confidentiality, integrity, and availability requirements of SIE systems.
• Demonstrate the quality of remediation efforts by documenting the corrective actions taken and ensure issues do not reoccur in the environments.
• Provide expert remediation support so that vulnerabilities are mitigated or remediated within the timeframes specified in the SIE GVM Standard.
• Work with and evolve the Security Operations toolsets and reporting to provide better vulnerability insight and create effective communications and measurable reporting. Automate vulnerability management-related operations and processes.
• Work with DevOps team to improve security tools integration into CICD pipelines.
• Discover opportunities to enhance asset inventories and better enrich vulnerability data. Conduct ongoing research to help validate completeness or identify ''gaps''.
• Perform continuous security validation testing for SIE network and cloud environments to provide improved visibility to our overall security posture.
• Research and characterize risks to networks, operating systems, applications, databases, and other information system components to facilitate implementation of configurations and hardening settings for these environments.
• Support multi-functional team efforts for asset management, tagging, and grouping.
• Develop and demonstrate Proof of Concepts for identified vulnerabilities to convey business impact to the business and to distinguish true risk to SIE environments.
• Participate in developing policies, procedures and technical reports associated with operating and maintaining the GVM Standard and Framework.
• Stay abreast of exploit trends to ensure that GVM understands the threat landscape and SIE's risk exposure in order to prioritize remediation efforts effectively.
• Ensure that documentation, data, assessment information, and Vulnerability Management program information are kept up to date.
• Mentor, train, and assist junior personnel in the execution and use of new technologies, processes, and services.
• Some travel required.
• 8+ years' experience in Information Security, Information Technology, or Systems Engineering fields.
• Bachelor's degree in Computer Science, Information Security, or equivalent experience.
• Very strong understanding of OS and application vulnerabilities and remediation techniques.
• Advanced experience administering and operationalizing vulnerability management and network scanning tools – specifically Qualys.
• Sophisticated knowledge/experience in offensive security, adversarial tactics, techniques, and procedures, and common attack patterns such as binary exploitation, memory corruption, race conditions, web attacks, etc.
• Knowledge of both Windows and UNIX-based operating systems (i.e. RHEL, CentOS, Amazon Linux, Windows Server and client OS, MacOS).
• In-depth knowledge of security standards, technologies and products and drive to continuously improve these skills.
• Ability to manually test for the presence of vulnerabilities.
• Experience with Git or other version control systems.
• Knowledge of Amazon Web Services (AWS) environments and security standard methodologies.
• Knowledge of Docker containers and container orchestration tools.
• Knowledge of CI/CD pipelines in Jenkins
• Understanding of networking fundamentals.
• Knowledge of the PCI Data Security Standard (PCI DSS).
• Strong experience working with external teams to identify, follow-up, and deliver solutions.
• Strong attention to detail with the ability to efficiently analyze and resolve problems
• Strong verbal, communication, and diplomacy skills with all levels of the business
• Must be self-motivated, able to work independently, and multi-task effectively
Recognized as a global leader in interactive and digital entertainment, Sony Interactive Entertainment (SIE) is responsible for the PlayStation® brand and family of products and services.