Manager - Penetration Testing (US Remote Available)

Manager - Penetration Testing (US Remote Available)

Uber | San Francisco, CA, US

Posted 7 days ago

Apply Now


About the Role

Uber’s Product Security organization is growing and looking for a Penetration Testing Manager to lead our security assessments team. In this role you will be responsible for leading a team of highly skilled penetration testers whose principle mission will be to conduct offensive pen-testing activities against our micro-services, applications, infrastructure and data-layer services. You will work closely with our engineering groups to define pen-test scope, schedule, lead assessment engagements, and map assessment findings into engineering plans of action for remediation, ultimately guiding our product security uplift activities. This is a unique opportunity for an experienced pen-tester manager who is collaborative, and has a healthy sense of curiosity to join Uber Engineering Security to make real positive impacts to our security posture, lead the strategic direction and evolution of our assessments team, and help us improve our security designs in our next-gen of systems and services.

What You Will Do

Lead, manage, and develop our geographically distributed offensive security and pen-test team. Mentor and teach junior pen-testers
Manage and organize pen-test preparation and scheduling activities for in-house and out-of-house mobile white-box and grey-box assessment activities.
Create quality written work products for both technical engineering and non-technical consumers.
Validate, refine, and defend the team’s assessment work product
Oversee Uber’s responsible disclosure programs and bug-bounty programs for Uber and subsidiaries.
Be a subject matter expert and ambassador to Uber Engineering and our subsidiaries, for secure coding practices, penetration testing, mobile platform security and all aspects of application and product security

Basic Qualifications

Hold a pen-test certification such as Offensive Security Certified Professional (OSCP) or CEH, OSWE, OSCE, GPEN, GMOB, GWAPT, GXPN, and/or willing to work towards ultimately obtaining one as part of your career path
Experience with Java, Go, Python or Node.js (bonus points for more than one).
3+ years of management experience, and 5+ years overall of relevant engineering or security assessment experience
Have a formal knowledge of attack vectors, exploits and mitigations, and be able to verbalize Tactics, Techniques and Procedures (TTPs) related to carrying out security assessments.
Have prior experience scoping and performing pen-testing of mobile applications, and micro-services based environments, from limited to full scope across a wide range of API & UI technology stacks, public cloud and infrastructure.

Preferred Qualifications

You have great interpersonal skills, deep technical ability, and a history of successful execution in the assessments industry. If you enjoy discussing anything from procedural linking tables in kernels to remote code execution in JVMs, then we want you on the team.
Prior experience leading teams over multiple locations
B.S. in Computer Science, Electrical, or Computer Engineering, or equivalent work experience as a software engineering or security practitioner
Familiarity with industry-standard threat modeling, risk modeling and vulnerability classification
Experience working with in-house engineering organizations, S-SDLC/CICD software lifecycle and QA processes, and understanding of software security architecture principles.
Familiarity with AWS and GCP public cloud providers, plus private cloud equivalent service layers