Pentest Security Engineer II, Specialized Pentest Team, Devices & Services

Amazon is seeking a Pentest Security Engineer II to join their Specialized Pentest Team focusing on Devices & Services. The role involves conducting penetration tests, identifying vulnerabilities, and collaborating with product teams to enhance security across Amazon’s ecosystem.

Responsibilities:

• Lead and contribute to penetration tests against services and software released by Amazon’s Devices & Services organization. This includes working closely with builder teams to scope pentests, develop test plans, find vulnerabilities, develop proof of concept exploits, report findings, and validate patches
• Analyze and identify security vulnerabilities in source code using both automated and manual static analysis tools and techniques
• Review and influence technical solutions to mitigate security vulnerabilities by providing actionable long-term risk mitigation guidance to drive security improvements
• Lead impactful security improvements in large product lines through close collaboration with our partner builder teams
• Develop detailed technical documentation describing identified vulnerabilities, associated impact, and recommended remediation to guide communication with internal engineering stakeholders and leadership
• Mentor junior penetration testers and cultivate a culture of collaboration and research sharing

Requirements:

• Bachelor's degree
• 3+ years of experience identifying, exploiting, and recommending solutions to remediate web application and service API vulnerabilities (e.g. mass assignment, broken object/function level authorization, JWT/OAuth, injection, business logic flaws, excessive data exposure, etc.)
• Experience tracing sources and sinks during code review to identify vulnerabilities, and providing contextual remediation guidance to address vulnerability root cause
• Experience designing and reviewing secure system architectures through the use of Threat Modeling incorporating sophisticated and modern attacks
• Knowledge of cloud service providers and their offerings, preferably AWS, and its various technologies and services
• Foundational knowledge of hardware security fundamentals
• Experience in CTF competitions, CVE research, and/or Bug Bounty recognition
• Experience with applying and assessing Machine Learning technologies
• Published security research (e.g. conference presentations, whitepapers, blog posts)