« ModSecurity and ModSecurity Core Rule Set Multipart Bypasses | Main | How good is client-side support for RC4? »

Lead application security researcher wanted to join a great team

June 26, 2012

I am looking for a Lead Application Security Researcher to join the WAF team at Qualys, and work with us to build the best application security monitoring, detection, and protection product (our cloud-based web application firewall). We want someone who knows the application security field inside-out, and has tons of practical experience with the right mix of offense and defense skills.

The focus of this role is to own, design, and implement the security aspects of our product. This is a rare opportunity to break new ground, work in an exciting field, focus on application security research, and work with great people. We want someone who is passionate and focused, works independently and leaves no stone unturned. Above all, we want someone who will deliver.

To make things even more interesting, we've been building our core engine and libraries as open source from day one. See them now at https://github.com/ironbee/. We expect our open source and community involvement to intensify over time. There's also ample opportunity for writing articles, research papers, and presenting at conferences.

This is a full time position in Redwood Shores, CA or Madison, WI. For the candidate that is just right, I am willing to consider other options.

Skill checklist:

  1. You know how the Internet works (networking, protocols, etc)
  2. You know how web applications are built (and may have built some yourself)
  3. You know how to build secure web applications (the emphasis here is on understanding how to avoid vulnerabilities; strong programming experience is not required, but it's useful if you are able to do some scripting to build a research lab and automate testing).
  4. You know how browsers work and interact with applications
  5. You know application security and can use your skills to attack vulnerable applications
  6. You can evade web application firewalls
  7. You understand exactly why your attacks and evasion techniques work
  8. You can use all of the above to build a better mouse trap

If you fit the above description we would love to talk to you, employ you, and give you what you need to make you successful in our environment. Please contact me directly (the email is iristic at qualys.com) with your resume, examples of the work you are proud of, and a short cover letter. No agencies, please.