Work with McAfee

Work with McAfee.

Amazing works here and we want more of it.

Join Our Talent Network

Senior Product Security Architect

Apply Now    
Location:
Santa Clara, CA US
Other Location(s):
Texas, Plano; Ireland, Cork; Oregon, Hillsboro;
Job Id:
JR0008267
Job Category:
Product Development / Engineering
Job Description

Software architect is responsible for the technical direction of a project. Makes high level design choices for the software structure, frameworks, protocols, and algorithms. Determines coding practices, development tools, and validation requirements. Performs pathfinding and surveys technologies. Interacts with multiple technologists in the company and within the industry as well as between developers and project managers to evaluate feasibility of requirements and determine priorities for development.

Duties

Will be responsible for working closely with the Principal Engineer for Product Security Architecture to contribute to, help to manage, and maintain the company’s Product Security Architecture Strategy across McAfee’s Product Business Units and across McAfee’s broad and deep product portfolio. This role will be looked at as a main technical Subject Matter Expert for Product Security to:

  • Provide architectural and technical guidance to product security
  • Design, plan and implement secure coding practices and security testing methodology
  • Ensure practices meet software certification processes
  • Drive the security testing of the products.
  • Test and evaluate security related tools
  • Stay abreast on the latest industry trends and best practices in IT/software information security•
  • Stay abreast of the latest versions of operating systems, database software as well as other third party software utilized by McAfee products
  • Assess vulnerabilities for severity and impact, with emphasis on both CVSS scoring and risk rating in context

Responsibilities:

Many of these activities will be achieved through collaboration, teamwork, and technical leadership with other company resources, and especially, a 120-person virtual security team embedded within multiple product groups and business units and will include the following:

  • Participate in code and design reviews with product teams
  • Work with McAfee IT infrastructure team, including design and code reviews
  •  Interface with all levels of management to negotiate priorities and outcomes
  • Develop security auditing procedures
  • Develop and improve the product security standard requirements for different target groups
  • Make decisions in cases of deviations from the product standard or either prepare management with accurate risk assessments to make decisions or advise development on solution strategy
  • Provide internal consulting for secure planning and development, analyze product security architectures
  • Provide reporting for different management levels
  • Provide lifecycle information security support to product and other critically designated application development teams.  Key responsibilities will include:
  • Engage in the initial requirements definition (including analysis of threats and risks and alignment with McAfee security, Engineering, IT and Architecture standards.
  • Conduct and facilitate security reviews including SSDLC testing requirements throughout the development lifecycle;
  • Facilitate "table-top"/red-team/scenario analysis exercises in conjunction with other SME's; and plan the resolution of any identified vulnerabilities/issues.  
  • Security review of products/applications including requirements definition and risk analysis ·
  • Validate claimed vulnerabilities, assess the risk using Common Vulnerability Scoring System (CVSS), followed by in-depth risk analysis and ensure adequate roll-out of security patches
  • Create security training, self-tests and enhance the secure programming guides
  • Communicate with and drive the worldwide security network with security researchers, customers, and our own support organization
  • Create security test case specifications (target: code reviews, automation, and easy manual execution), contribute test tool strategy
  • Support security projects in development and security research projects
  •  Perform conception work, for example, on key performance indicators, framework for external security assessments, security in agile development, cloud computing, and software as a service 

Qualifications

  • Advanced degree (Masters or PhD) in computer science or related field preferred
  • 10+ years of combined experience as a developer and architect
  • Excellent interpersonal and communication skills
  • Hacker mindset, security risk awareness and security know-how
  • Ability to express and drive the resolution of technical problems effectively
  • Strong appetite to continuously work on new technologies and topics
  • Drive for quality, ability to define and execute security assurance strategy and security process
  • Customer focused and a team player
  • Product security experience at a large software company is a very strong plus.
  •  Deep understanding of technical threats - The basis of how attacks work, why they work, and what that means to us as a software company and to McAfee’s customers.

Ability to pull a debugger out and figure out what just happened (exploit analysis) Ability to duplicate and explore the threats in a meaningful way (exploit creation)  Ability to extrapolate that information into meaning (how could this affect us)

  • Wide breath of software code experience
    • C/C++ - this is our most common language.  Needs understanding of traditional C architecture, but also c++ oop practices, as well as STL and modern C++ architecture
    • Java – this is our second most common language – need to understand java object layering,and common patterns of java enterprise coding.  Strong understanding of J2EE and JME useful.  Helpful to understand common web frameworks like REST & JSON and Java application servers
    • C# - up and coming.  Similar needs to java.
    • Others – we have audited code in python, perl, php, objective C, and half a dozen other languages.  Needs to be flexible and learn enough of the threats to review and potnetially audit code in just about any language.
  • Wide platform experience
    • Windows – we primarily care about windows, so the types of threats here are most important.  Need to understand permissions, registry, common architecture aspects (service architecture, split between priv levels, kernel versus userland).  Broad and deep knowledge is helpful.
    • Unix – we have several platforms that are built on unix technology.  Need Linux, *BSD, MacOS, Solaris, HPUX, and AIX (in that order).  Don’t need to be a ninja on all, but know the threats, the architecture, and how to comport oneself on each.  
    • “Other” – we need people who have flexibility to get into things like android, iPhones, Cisco IOS, windows CE, Wind River, and any other operating system and execution environment that may need analysis.

  • Broad security architecture understanding
    • Authentication systems – when to use them, how to use them, how to break them
    • Encryption technology – when to use it, how to use it (especially), and how it nearly always fails
    • Secure Design – ability to describe what architecture should look like at a level where they can convince existing Architects to change their designs. 
    •  Capability to determine real world risk in an efficient manner (getting details on what a threat looks like from an objective manner)
    • Security in different models
      • Security in shrinkwrap style software
      • Security in enterprise software
      • Client-server
      • Peer to peer
      • Web app models (SOA, n-tier, mq style, etc)
  • Know the tools
    •  Understand and can use common tools for auditing software such as:
      • Fortify
      • Coverity
      • Netsparker (and other web application vulnerability scanning tools)
      • Others
    • Can work within our framework (jira, github, etc)

  • Can build new things
    • Comes up with ideas to improve
    • Can take such a project from concept to deployment, often on their own
    • Can extend existing systems (requires using a breadth of skills and learning existing systems effectively)

  • Can communicate internally and externally – we need someone who can use limited authority to convince teams

    to change on a fundamental level.  We achieve this by demonstrating security thought leadership internally and externally.

    • Use appeal to logic or appeal to expertise to convince, as authority is not there
    • Can negotiate reasonable results with a large variety of teams
    • Can build personal working relationships with teams to support ongoing operations
    • Can design and deliver effective training for developers, QA, managers, or anyone as needed.  Training could be either live instruction or CBT, or some combo of both.
    • Can express their knowledge and findings internally both up the chain and to teams themselves
    •  Can compress this knowledge to display it externally to customers, partners, and the industry via blogs, talks at conferences, participation in industry groups, and any other needed venues
    • Can work with PR or other external agencies to ensure our message is heard correctly

  • General ability to Get Results at all Costs: execute with urgency
    • Ability to find who internally has needed information
    • Ability to schedule and meet aggressive deadlines
    • Ability to set goals and exceed them
    • Ability to act autonomously for the most part, with minimum support

Our Mission:

To relentlessly protect all that matters through leading edge cyber security, from your workplace to your home and everywhere in between.

Our Vision:

To enable a world where cyber security is so consistent, reliable and  effective that it becomes a trusted foundation in our lives – like clean air and water. Our technology enables the world to fully realize the  transformative power of the digital age, by protecting all that matters. By doing our job well, we drive limitless innovation, securely.

Our Values:

We live our values day in and day out, do you think you can live our values with us? If you can, don’t think, just connect with us. Together is power.

  • We achieve Excellence with Speed and Agility
  • We Play to Win or Don’t Play
  • We Innovate without Fear
  • We Practice InclusiveCandor and Transparency
  • We Put the Customer at the Core

Join our Talent Community:  http://careers.mcafee.com/

McAfee prohibits discrimination based on race, color, religion, gender, national origin, age, disability, veteran status, marital status, pregnancy, gender expression or identity, sexual orientation or any other legally protected status.


Qualifications



Other Locations

Texas, Plano; Ireland, Cork; Oregon, Hillsboro;

Apply Now    
Back to top