Amazon Web Services (AWS) Security team is hiring in Seattle (WA), Herndon (VA), Dublin (Ireland), and Sydney (Australia). We're looking for folks interested in the following areas:
* Penetration testing and general software breaking
* Application Security & Design
* Incident Response
* Compliance / Security Assurance
* General software engineering
Successful candidates are those that can not only break software, but are also able to build software. No formal education is required, but demonstrable technical prowess is encouraged.
Other particulars: Relocation is available. VISA sponsorship may be possible for qualified candidates. Remote work is not available.
Interested individuals should send their resume, professional/technical background information, and what areas you're interested in exploring career options to "b3NtYW5zQGFtYXpvbi5jb20K" (base64 decode it) and use the subject line "HN May 2017" to be considered. No recruiters.
Amazon Web Services | SEA | Security Engineer | ONSITE
In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services -- now commonly known as cloud computing. Today, Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.
AWS's Application Security team is looking for security professionals interested working in the areas of:
* Penetration testing
* Application security
* Automation
* Building of security services
Ideal applicants have a strong passion in the field of computer security and have experience programming/scripting away problems. Professional experience and/or a degree from a university is not a prerequisite if the candidate is able to demonstrate his/her competency in other ways.
To learn more about these positions and others, please reach out to me directly at osmans _at_ amazon.com with a subject line of "HN Hiring (OCT 2016)" and information about what area of computer security listed above that you are interested in; alternatively you can also tweet/dm at me @surkatty.
I believe it's less about fear mongering and more about understanding the level of sophistication of the software. Talk to anti malware analyst and they'll tell you how commoditized the malware game is nowadays. There's an endless stream of malware and ransomware which can be linked back to just a handful of frameworks. These types of malware families also fall under the spray-n-pray mentality for distribution. Spam, drive-by-downloads, infected torrents, etc.
Compare the mass of malware that is out there with the level of technical sophistication, OPSEC to prevent detection, and precise targeting of its victims. Along with other big name malwares (i.e. Stuxnet, Flame, etc.), this class of malware is very precise in its objective. It isn't trying to make money for its owners. It isn't trying to replicate itself across the internet endlessly. Rather it has a key objective of infecting a specific set of networks. So when researchers call out the fact that it is likely to be "state sponsored", they are saying the purpose of the malware is very different than your average piece of malware.
Everything you said is true, but I'd like to elaborate a bit further: sometimes state involvement can be inferred when the exploit involves computing resources which could only be reasonably wielded by a nation-state.
For example, suppose that this exploit involved the reversal of an MD5 hash (and this is simply an example, I'm not saying that the actual exploit did). How much computing power would be required to do this? I couldn't do this reliably on my home machine, nor could I afford the cloud-compute power to perform it. However, assembling a vast array of machines is within reach of a state sponsored intelligence agency.
So, that's often it: at some point, the computation would be so expensive that you'd have to infer that only a nation state could have financed it.
Essentially depending on what malware does we can easily identify government software because criminal software has a different set of objectives. Is it possible though that corporate software could have similar objectives? I'm thinking corporate espionage type behaviour.
To be clear, this was not something I wrote/scripted. I'm quoting the comment. However due to title character limit, I couldn't make that clearer in the post title. :\
* Penetration testing and general software breaking
* Application Security & Design
* Incident Response
* Compliance / Security Assurance
* General software engineering
Successful candidates are those that can not only break software, but are also able to build software. No formal education is required, but demonstrable technical prowess is encouraged.
Other particulars: Relocation is available. VISA sponsorship may be possible for qualified candidates. Remote work is not available.
Interested individuals should send their resume, professional/technical background information, and what areas you're interested in exploring career options to "b3NtYW5zQGFtYXpvbi5jb20K" (base64 decode it) and use the subject line "HN May 2017" to be considered. No recruiters.