Collaborate with other engineers in the Security Hardening team to achieve and retain various Security certifications
Extend and enhance Linux cryptographic components (OpenSSL, Libgcrypt, GnuTLS, and others) with the features and functionality required for FIPS and CC certification
Collaborate with external security consultants to test and validate kernel and crypto module components
Work with external partners to develop security hardening benchmarks and audit + remediation automation for Ubuntu
Contribute to Ubuntu mainline and upstream projects to land solutions and benefit the community
Communication and collaboration within and outside Canonical to identify opportunities to improve our security posture, rapidly resolve issues, and deliver high-quality solutions on schedule
What we are looking for in you
Hands-on experience with low-level Linux cryptography APIs and debugging
Excellent software engineering fundamentals, including prior experience with C development, and the ability to demonstrate such
Hands-on experience with Linux system administration and shell scripting
Demonstrated knowledge of security and cryptography fundamentals + direct experience writing secure code and implementing best practices
Significant development experience working with open source libraries
Excellent verbal and written communications to enable efficient collaboration with internal and external partners in a remote-first environment
Additional Skills That You Might Also Bring
Prior experience working on FIPS/Common Criteria certified products and in-depth knowledge of the underlying standards
Prior experience working directly with DISA-STIG or CIS benchmarks, including related audit + remediation tooling (e.g. Compliance as Code)
Experience working directly with Linux Kernel
Prior experience with Python, OVAL (Open Vulnerability Assessment Language), and Ansible
History of contributions to open source projects
Desired candidate profile
1. Cryptography Implementation and Management
Encryption/Decryption: Implement and manage encryption schemes for data at rest, data in transit, and communication between systems. Use tools like OpenSSL, GPG, and other cryptographic libraries to secure data.
Key Management: Manage encryption keys securely using tools such as HashiCorp Vault, AWS KMS, or custom key management solutions. Ensure best practices for key lifecycle management (generation, storage, rotation, revocation).
Cryptographic Protocols: Implement and support secure communication protocols, such as SSL/TLS, IPSec, and SSH, ensuring they meet industry standards for confidentiality and integrity.
2. Linux Security Hardening
System Hardening: Perform system hardening on Linux servers by configuring and maintaining security best practices, such as disabling unnecessary services, implementing least-privilege access, configuring firewalls (iptables/nftables), and applying security patches.
SELinux/AppArmor: Configure and manage Security-Enhanced Linux (SELinux) or AppArmor to enforce security policies that protect against unauthorized access to system resources.
Audit and Logging: Configure Linux audit frameworks (e.g., auditd) and log management tools (e.g., syslog, rsyslog) to monitor for suspicious activities and ensure compliance with security policies.
Access Control: Set up and manage user and group permissions, configure sudoers file, and apply proper authentication mechanisms (e.g., PAM, two-factor authentication).
3. Security Incident Response
Incident Detection: Implement and configure intrusion detection/prevention systems (IDS/IPS), monitor for anomalous behaviors, and use tools like OSSEC, Snort, or Suricata.
Forensics: In the event of a security breach, perform forensic analysis to identify the root cause, scope, and impact of the incident. Analyze logs, file system integrity, and other system artifacts.
Threat Mitigation: Develop and implement mitigation strategies to reduce vulnerabilities, including deploying patches, security fixes, and configuration changes to prevent further attacks.
4. Vulnerability Assessment and Penetration Testing
Vulnerability Scanning: Conduct vulnerability assessments on Linux systems using tools like Nessus, OpenVAS, or Lynis to identify security flaws and weaknesses.
Penetration Testing: Perform penetration tests to identify potential vulnerabilities in the system or network. Use tools such as Metasploit, Burp Suite, or custom scripts to simulate attacks and assess system defenses.
Security Audits: Conduct security audits to evaluate the effectiveness of security controls, identify weaknesses, and recommend remediation actions.
5. Compliance and Security Best Practices
Compliance Requirements: Ensure systems are compliant with relevant regulations and standards, such as PCI DSS, HIPAA, GDPR, or FISMA. Implement security controls and audits to meet compliance requirements.
Security Documentation: Create and maintain detailed documentation of security policies, procedures, and configurations. This includes documentation for cryptographic implementations, incident response procedures, and security audits.
Security Policies: Develop and enforce organizational security policies, including those related to encryption standards, key management, secure coding practices, and network security.
6. Continuous Improvement
Research and Development: Stay up-to-date with the latest cryptographic algorithms, Linux security tools, and vulnerabilities. Experiment with new technologies and tools to improve the security posture of Linux systems.
Automation: Automate security tasks and processes using scripting languages like Bash, Python, or Ansible to enhance the efficiency and reliability of security operations.
Patch Management: Ensure that systems are regularly patched with the latest security updates and that vulnerabilities are mitigated in a timely manner.