Senior Security Evaluator – Crypto code review

Product security is the result of a combination of security provided by hardware and software. In general, security cannot be provided by hardware alone and needs to be complemented by security implemented in software. The smallest details can make the difference between a secure and an insecure product. Careful examination is therefore required to judge the security quality.

Most ICT products for secure applications implement cryptographic operations. During the vulnerability analysis of these products, the code of the crypto library is thoroughly analyzed to identify weaknesses in the implementation of the crypto algorithms with the aim of exploiting attacks using advanced techniques such as fault injection or side channel analysis.

As a Senior Security Evaluator – Crypto code review, you apply your expertise in secure cryptographic implementations to identify the security mechanisms and define sophisticated attack scenarios using state-of-the-art attack methods. It is your responsibility to convince product developers of your findings to allow them to improve their cryptographic implementations, and to provide sufficient argumentation to certification schemes why a product is still secure.

SGS Brightsight is looking for enthusiastic cryptography experts with some background in hardware security who are up for this challenge and believe they have the capabilities to perform these assessments.

You will collaborate in different evaluation teams with experts in different fields, including secure coding, secure hardware design, fault injection, side channel analysis, cryptography, and evaluation methodology, with the goal of assessing whether products can be certified.

During these assessments you will have direct contact with crypto library developers and provide feedback on their solutions. Customer meetings are internationally oriented, involving discussions in different cultural contexts. You will document the findings and argumentation for both the product developer and the approval bodies. You will also support colleagues who are executing in the labs the attack scenarios you have defined.

Products are changing rapidly, as are the attacks applied to these products. Thus, crypto library code reviewers require constant improvement and adaptation to keep on top of what is in the field and could threaten products currently being assessed. You will gain significant knowledge on secure product implementation by having access to different vendor solutions. The interaction with many developers around the world is a great experience that will trigger continuous improvement.

To get up to speed for this position you will participate in the Brightsight training program on methodology and technology. You will also join different technical domain groups, such as crypto and side channel, where technical experts meet globally to discuss the state of the art, daily challenges, and improvements. You will work in a very international environment and have the opportunity to learn from reviewing and assessing many secure implementations.

Qualifications

• BSc, MSc or PhD degree in a technical field such as Information Security, Computer Science, Electronics, or Mathematics, with experience in cryptographic implementations and testing for embedded systems
• Knowledge of cryptographic algorithms including DES, AES, RSA, ECC, and HMAC, and experience with secure implementations
• Demonstrable understanding of Post Quantum Cryptography is preferred
• Ability to understand state-of-the-art attack methods such as side channel analysis and fault injection to perform security assessments
• Ability to communicate knowledge convincingly, both orally and in writing, to internal and external entities
• Ability to guide and support experts in side channel and fault injection attacks by clearly explaining weaknesses in implementations
• Good knowledge of the English language

What SGS Brightsight offers

SGS Brightsight provides a very good training program, from the basics to expert level. We offer a supportive work environment that fosters professional growth and development.

• Be part of a multicultural team with highly motivated colleagues from all over the world
• Work for the recognized global leader in security evaluations
• Work with all major developers on their latest innovations
• Enjoy an informal and intellectually challenging work environment