Lenovo

This is an exciting role where you will be working with a global team of development engineers and security professionals – assessing and securing a new Lenovo product, an end-user Linux distribution for use on Lenovo personal computers. You will manage small security team with one project manager and two security engineers, as well as work with multiple development teams across Lenovo to ensure that the product is secure by design, and developed securely as well.

What You'll Do:

• Lead a global team of software security engineers and development security champions to assess the security posture of Lenovo and 3rd party developed applications for Linux and firmware for embedded devices
• Partner with Global PCSD BU Leaders to ensure any Linux-based products all go through the SCOE Global Security Lab’s Security Review process to ensure that all PCSD Products are properly secured before they are released to production
• Be responsible for your team’s annual KPIs to ensure they are completed successfully.
• Conduct security assessments of linux client applications, both Lenovo developed, and 3rd party, using industry-standard tools and techniques to identify vulnerabilities.
• Risk-ranking of identified threats to prioritize mitigation and remediation activities.
• Help train members of development teams in secure development best practices
• Perform security code reviews of application source code
• Constantly look for opportunities to improve the efficiency and effectiveness of your team and execute on them.
• Participate in software design sessions with development teams, analyzing and assisting in the secure design and architecture of PC application software
• Working with software designers, developers, project managers, and testers - developing close working partnerships with development teams - to review, assist and recommend changes and solutions to address the security of Lenovo- and third party-developed software
• Act as a trusted advisor and subject matter expert to product development and engineering teams - provide advice on secure application design, development and validation
• Identify and evaluate needed tools and refine processes and procedures to ensure security reviews are performed correctly.  
• Define security requirements for Lenovo and third-party development teams.
• Stay current in the latest security tools, methodologies, and best practices
• Act as a Secure Development Lifecycle evangelist, guiding and training the Linux product team on applying secure development practices effectively and efficiently

Basic Qualifications:

• Bachelor’s degree in Computer Science, Computer Engineering, Software Engineering, or related field; or relevant cybersecurity experience of 5+ years
• 3+ years management experience managing software developers and/or cybersecurity teams
• 5+ years of experience in computer programming, secure software design, vulnerability management, and product security testing
• 5+ years of Linux development experience and hardening Linux installations

Preferred Qualifications:

• Experience in developing Linux applications using common application programming interfaces such as Gnome and systemd.
• Familiarity with general security testing and reverse engineering tools, such as Burp Suite, Kali, ZAP, etc
• Understanding of general secure development practices: code review, static analysis, OWASP, BSIMM, etc.
• General knowledge of cryptography concepts such as hash functions and symmetric/asymmetric encryption
• Knowledge of and experience with applying Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS), Common Vulnerabilities and Exposures (CVE) and Open Web Application Security Project (OWASP) processes and remediation recommendations.
• An understanding and ability to communicate the techniques, tactics, and practices of an attacker
• Excellent leadership, planning, communication, and organizational skills
• Ability to perform security assessments of Linux drivers, daemons, and applications -- experience with web applications is a plus.
• Experience performing static analysis and code reviews.
• Experience with C/C++, Python, and Bash shell scripting. Familiarity with all languages is required.  
• Proficiency in software development practices, release planning, and quality assurance.
• Ethical hacking/penetration testing that identifies weaknesses in applications and in the transmission and storage of data.
• Familiarity with development life cycle practices such as Agile. 
• Familiarity with security and privacy frameworks, standards, and regulations like GDPR, CCPA, CSA STAR, ISO 27000 series, NIST, etc. 
• Strong learning ability, strong self-drive, good adaptability, and passion for security.
• Strong communication skills
• Advanced English
• Experience in reverse engineering, disassemblers, debuggers, and developing exploits is a plus.
• Detailed knowledge of security vulnerabilities and remediation techniques
• Multiple Industry security certifications such as CISSP, CCSP, SANS-GEVA (or other SANS certs), OCSP desired.