Security Analyst

Job Description: Security Analyst

The Oracle Cloud Infrastructure (OCI) Hardware team is actively seeking a highly driven hardware/firmware security expert at the Principal Engineer level. In this role, you will participate in the organization-wide Security Assurance program while also engaging in technical security reviews and having opportunities for code-level security work. All engineering teams at Oracle are mandated to adhere to security best practices for integrating security into products and services. These Oracle Software Security Assurance Standards (OSSA) and Oracle Hardware Security Assurance (OHWSA) provide guidance across the entire lifecycle, from component selection and intake, product design, development, testing, release/deployment, to vulnerability and patch management. The OCI Hardware Development team provides the AI, GPUs, components of Oracle's AI hardware platform hardware and firmware used in Oracle Cloud and in Oracle Engineered Systems, including Oracle Exadata. The OCI Hardware organization has successfully delivered the first and second generations of Oracle cloud platforms and is now building the next generation of cloud and enterprise systems, aiming for record-breaking performance, security, and world-class quality using the latest merchant silicon and technologies.

Job Summary

As a key member of the OCI Hardware/Firmware Security team, the Security Analyst will collaborate closely with the team's Chief Security Architect. This role focuses on managing and participating in all aspects of OCI Release Management (ORM), Oracle's Hardware Security Assurance (OSSA) program, and the Oracle Hardware/Software Security Vendor Intake program. You will manage hardware/firmware security vulnerabilities end-to-end, from triage to mitigation planning, rollout, and customer messaging. Additionally, there will be opportunities to work on security projects and initiatives defined by the Chief Security Architect. The scope encompasses both hardware and firmware, involving Oracle internal teams as well as external partners. Responsibilities extend from educating and supporting Oracle teams, to performing technical security and process reviews, and ensuring Oracle's partners understand future security requirements. This role also involves designing, developing, troubleshooting, and debugging software programs for various applications, tools, and networks.

Responsibilities

• Monitor vendor embargoed advisories (Intel, AMD, NVIDIA, ARM, etc.), VINCE, and other sources for hardware and firmware vulnerabilities.
• Perform risk analysis and threat modeling to triage applicability and risk of vulnerabilities to Oracle hardware products and platforms.
• Drive and track mitigation of vulnerabilities across various OCI teams and stakeholders through rollout.
• Communicate risk and mitigation plans to internal teams, leadership, and customers via legally approved messaging.
• Utilize Python for running internal tools that aid with vulnerability management.
• Assist engineering teams in planning security reviews for hardware/firmware technologies under consideration.
• Ensure teams create required materials for:
  • Inbound HW/FW security reviews
  • Inbound third-party software security reviews
  • Product release security reviews
• Perform these security reviews.
• Track the progress of individual reviews and produce reports.
• Identify and drive improvements to security processes.
• Work with the Hardware Chief Security Architect, virtual security team, and key internal partners.
• Collaborate with Oracle's third-party ecosystem to communicate hardware security requirements and assess current adoption and future compliance.
• Act as a technical security resource for Oracle's third-party ecosystem.
• Develop tools as needed to support the security process.
• Opportunities to work on code-level assessment, partnering with the Core Firmware Engineering team.
• Opportunities to be involved with Architectural Risk Analysis and threat analysis.

Required Qualifications

• B.S. in Computer Science, Computer Engineering, or a related field.
• 7+ years of experience in software engineering and/or security.
• Experience in security analysis/assessments and the ability to audit security or forensic reports.
• Expertise across the secure firmware/software development lifecycle, including component security reviews, static and dynamic analysis tools.
• Highly motivated, with a strong sense of urgency and ability to deliver multiple tasks under pressure.
• A strong problem-solver, capable of both strategic thinking and diving into technical details as needed.
• Capable of working independently.
• Experience with understanding, analyzing, and communicating hardware security vulnerabilities, attacks, and research to engineering communities and audiences.
• Comfortable dealing with ambiguity and adaptable to changing environments and needs.
• Excellent written and oral communication skills.
• Experience with the architecture, design, and implementation of modern server platform hardware & firmware.
• Programming experience (C/C++, Linux Programming, bash, Python, Java).

Key skills/competency

• Hardware Security
• Firmware Security
• Vulnerability Management
• Threat Modeling
• Risk Analysis
• Security Reviews
• Secure SDLC
• Python Programming
• C/C++ Programming
• Cloud Security (OCI)