Security Software Engineer II – Azure Red Team - Microsoft

Microsoft runs on trust. On the Azure Red Team, we're committed to making Azure the most trusted cloud for customers worldwide. Our team provides a critical component of Azure's “Assume Breach” security strategy by emulating determined attackers who seek to compromise our platform.

We are looking for a creative and collaborative computer security professional to join our growing breach operations team for the Azure cloud. We are one of several offensive security teams within Microsoft, and our primary responsibility is to execute red team operations against Azure services and their dependencies. Through our attacks, we identify and drive improvements to Microsoft's capability to protect Azure, detect adversaries, and respond to any breach.

This is a unique position on a unique offensive security team. To be successful, you will need strong organizational, technical, and communication skills, as well as eagerness to keep learning. We will provide mentorship and training to help you grow, do your best work, and succeed in the role.

Our work begins with strategy and target selection. The Azure Red Team has a rare all-up perspective on the platform, and our leadership team trusts us to select targets in a largely unconstrained way. As a breach operator on our team, you will work collaboratively with other operators, the leadership team, and other Microsoft stakeholders to select high-value components of the Azure platform to breach.

With a target selected, you will research and take apart any relevant Azure services and other components of the platform. Along the way, you will be looking for vulnerabilities, misconfigurations, poor security posture—anything that might allow an adversary to get into the target. You'll also become an expert on those services and components!

In the action phase of your operation, you’ll leverage any found vulnerabilities and your expert knowledge to execute attacks, both external and internal in origin, against those services or platform components. You’ll exercise your creativity and out-of-the-box thinking to pivot, move laterally, and eventually compromise the target service. Throughout this process, you’ll follow our documented rules of engagement that protect Microsoft customers and their data.

Lastly, you will collaborate with engineering teams, security architects, and our incident responders who work tirelessly to keep Azure secure. You'll present your findings through proof-of-concept exploits, papers, bug reports, presentations, and formal reports. As a trusted advisor and security expert, you'll provide an honest and unbiased assessment of our security posture, which will aid in guiding priorities for the organization. You’ll then work closely with engineering teams to define mitigation strategy, push implementation forward, and measure progress.

Required Qualifications:  

• A bachelor’s degree (or higher) in an engineering or computer science related discipline, or relevant work experience
• At least 18 months of work experience in a security or software engineering related field

Preferred Qualifications:

• The attacker mindset: a creative and curious outlook when looking at a computer system or business process.
  • Can you look for ways to subvert the intention of the designer of that system or process?
  • Can you make the system or process serve an attacker’s interests (your interests!) instead?
• The organizational skill to plan and execute complex operations with many partners and stakeholders.
  • Great note-taking skills: we take thorough notes during all phases of our work, including target selection & planning, early partner engagement, research & recon, actions against the objective, and reporting & follow-up work.
  • Perseverance and a detail-oriented approach: as an operation unfolds, a few major and many minor themes tend to emerge. We seek to follow up on as many threads as possible, and to motivate change throughout the organization.
• Strong research and technical skills, to be able to take apart unfamiliar services, rapidly become an expert, and then find security problems. No specific technology experience is required! However, some of the platforms and technologies we regularly work with include:
  • Both Windows and Linux.
  • Python, PowerShell, bash, and other interpreted languages.
  • C#, .NET, and ASP.NET.
  • The Azure cloud platform
  • Azure Active Directory, Active Directory, certificates, and public key infrastructure.
  • Software supply chain platforms like Git, GitHub Actions, Azure Pipelines, container & package registries, etc.
• Excellent written and verbal communication skills, to be able to effectively present the results of a red team operation to stakeholders.
  • An open and honest presentation style that puts security problems in sharp focus. In this role, you’ll have regular opportunities to present to executives, including senior executives.
  • Especially prized on this team are clarity of thought and the ability to reason strategically about problems at scale.
• A growth mindset: enthusiastic about both learning and teaching.
  • Microsoft has many different red teams, of which the Azure Red Team is just one. You’ll be a part of this larger (and growing) offensive security community, with the regular opportunity to exchange notes or even to swap teams for an operation or two.

Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include but are not limited to the following specialized security screenings: Microsoft Cloud Background Check. This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter. 

#AzureSecCSS

#AzureSecOpen

#MSFTSecurity

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances.  We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the Accommodation request form.

Benefits/perks listed below may vary depending on the nature of your employment with Microsoft and the country where you work.