Product Security Engineer- Aruba Threat Labs

About the position

The Senior Security Engineer/Threat Researcher position will be part of Aruba Threat Labs, an internal product security group focused on researching and improving the security of HPE Aruba Networking's products, the company's secure development practices, and the company's vulnerability disclosure processes. Based in the Office of the CTO, the Senior Security Engineer/Threat Researcher will have responsibility across Aruba's entire product portfolio, including LAN switching, Wi-Fi, Network Access Control, cloud, and security monitoring solutions.

Responsibilities

• Conduct advanced security assessments of HPE Aruba networking products, including manual code reviews and penetration testing, to uncover vulnerabilities such as memory-unsafe errors, insecure deserialization, and authentication/authorization flaws.
• Develop proofs of concept (PoCs) to demonstrate the exploitability of identified vulnerabilities and provide actionable remediation guidance to engineering teams when requested.
• Develop and maintain custom tools to assist in vulnerability discovery, exploit development, and tracking and disclosure of vulnerabilities to the public.
• Assist in managing Aruba's bug bounty program, collaborating with external researchers and product engineering teams to triage, reproduce, and remediate reported vulnerabilities.
• Assist in writing vulnerability disclosure bulletins and managing the process of releasing those bulletins to the public.
• Serve as a subject-matter expert on secure coding practices, particularly in memory-safe and memory-unsafe programming languages, and evangelize these practices across product engineering teams.
• Conduct original security research on non-Aruba products and technologies, including discovering new vulnerabilities, publishing papers, and presenting at leading security conferences.
• Positively represent Aruba in the global security community by fostering collaboration with security researchers while balancing the goals of researchers with the needs of our customers.

Requirements

• B.S. or M.S. in software engineering, computer science, cybersecurity or a related field (or equivalent experience).
• 6+ years of professional experience in software engineering, vulnerability research, penetration testing, or a related security discipline.
• Programming experience in C and at least one additional language used for secure software development, such as Rust, Go, or Python.
• Hands-on experience with security testing tools and techniques, such as fuzzing, reverse engineering, and exploit development frameworks (e.g., Metasploit, Immunity Debugger, Ghidra, or IDA Pro).
• Understanding of memory-unsafe vulnerabilities, including buffer overflows, use-after-free, integer overflows, and format string vulnerabilities, as well as mitigation techniques such as ASLR, DEP, and stack canaries.
• Strong knowledge of web application security, including OWASP Top 10 vulnerabilities such as XSS, SQL injection, XXE, CSRF and insecure deserialization.
• Familiarity with secure coding practices, threat modeling, and static and dynamic application security testing (SAST/DAST) tools.
• Knowledge of modern cryptographic algorithms and security protocols (e.g., TLS, IPsec, OAuth) and their implementation pitfalls.
• Demonstrated ability to analyze, exploit, and remediate security vulnerabilities in complex codebases.
• Strong written and verbal communication skills, with the ability to create detailed technical reports and convey complex concepts to both technical and non-technical stakeholders.

Nice-to-haves

• Experience with fuzzing frameworks (e.g., AFL, libFuzzer) and advanced static analysis tools.
• Knowledge of reverse engineering firmware, embedded systems, or IoT devices.
• Familiarity with secure development lifecycles (SDLC) and DevSecOps practices.
• Knowledge of modern cloud architectures and security concerns in cloud-native applications.
• Experience contributing to or managing open-source security projects.
• Certifications such as OSCP, OSWE, or GREM are a plus, but not required.

Benefits

• Health & Wellbeing: Comprehensive suite of benefits that supports physical, financial and emotional wellbeing.
• Personal & Professional Development: Programs catered to helping you reach career goals.
• Unconditional Inclusion: A culture that celebrates individual uniqueness and values varied backgrounds.