Security Analyst - GitHub Security Lab

GitHub is seeking a security analyst to join its Security Lab. The qualified candidate will contribute to the curation of the GitHub Advisory Database as well as the operation of the GitHub CVE program.  You will help us grow the breadth and depth of our Advisory Database, and you will help us analyze vulnerability reports for the purposes of assigning and publishing CVEs. In addition to your curation responsibilities you will also have the opportunity to grow into a security research role with the Security Lab research team.

Meet the team:

The mission of the GitHub Security Lab is to inspire and enable the community to secure the open source software we depend on. We create a home for security researchers where they can collaborate and share, with the common goal of securing open source software. 

The GitHub Advisory Database is a core part of the Security Lab’s mission. The GitHub Advisory Database is unique in that it is currently the only freely licensed dataset focused on general open source vulnerabilities. The role of a Security Analyst is to manage the Advisory Database, what sources data is ingested from into the Database, and which standards are followed for the advisories in the ingested datasets.

The GitHub CVE program complements the GitHub Advisory Database. It allows open source maintainers to easily publish advisories and to associate them with CVEs, which are the industry standard for vulnerability identifiers.  The successful candidate will learn and enforce the CVE rules and apply them to GitHub Security Advisories. In this role a fair amount of technical writing is required.

Qualifications:

• Previous experience and exposure to open source software 
• Familiarity with one or more major open source ecosystems such as npm, python, java, etc.
• Strong interest in open source security
• Strong understanding of common software vulnerabilities (OWASP Top 10 for example) and knowledge of secure code principles
• Strong written and verbal communication skills in English and strong technical writing skills  
• Previous experience in the software security domain is a big plus, though other relevant experience will be considered as well
• Ability to work in a team, empathy for others when they need help, accountability when they rely on you

What You’ll Do:

• Add advisories to GitHub Advisory Database using our curation tooling
• Review CVE requests to ensure they conform to the CVE systems rules, assign CVE IDs and ultimately publish CVEs to MITRE
• Write/edit advisory descriptions
• Find ways to grow the breadth, depth, and influence of GitHub AdvisoryDB, including:
  • Finding new sources of advisories
  • Extending the amount and type of data that is curated
  • Working with stakeholders, both internal and external, to help them make the best use of the dataset
  • Writing blog posts, giving talks, and other kinds of public outreach.
• Collaborate with security researchers and influence their research with data you are collecting
• Work as part of a team.

Who We Are:

GitHub is the developer company. We make it easier for developers to be developers: to work together, to solve challenging problems, and to create the world’s most important technologies. We foster a collaborative community that can come together—as individuals and in teams—to create the future of software and make a difference in the world.

Leadership Principles:

Customer Obsessed - Trust by Default - Ship to Learn - Own the Outcome - Growth Mindset - Global Product, Global Team - Anything is Possible - Practice Kindness

Why You Should Join:

At GitHub, we constantly strive to create an environment that allows our employees (Hubbers) to do the best work of their lives. We've designed one of the coolest workspaces in San Francisco (HQ), where many Hubbers work, snack, and create daily. The rest of our Hubbers work remotely around the globe. Check out an updated list of where we can hire here: https://github.com/about/careers/remote

We are also committed to keeping Hubbers healthy, motivated, focused and creative. We've designed our top-notch benefits program with these goals in mind. In a nutshell, we've built a place where we truly love working, we think you will too.

GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!

Please note that benefits vary by country. If you have any questions, please don't hesitate to ask your Talent Partner.

#LI-POST