Senior Security Engineer

Senior Security Engineer/ CodeQL Security Researcher
Customer Security Policy and Assurance, Digital Security & Resilience
The mission of Microsoft Digital Security & Resilience (DSR) is to enable Microsoft to build the most trusted devices and services, while keeping our company safe and our data protected. As part of Microsoft's Security, Compliance, Identity, and Management organization, and a steward of Microsoft and our customer's data, a core function of Microsoft DSR is ensuring the security of every aspect of the business. Microsoft DSR is responsible for company-wide information security and compliance, with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. As customer zero, we deploy and secure these services inside Microsoft and then share best practices with enterprise customers at scale across the globe. We have exciting opportunities for you to innovate, influence, transform, inspire and grow within our organization and we encourage you to apply to learn more!
We are seeking a teammate to help us build out the most ambitious and advanced static analysis solution in the world, empowering us to centrally search across all of Microsoft's code for security vulnerabilities, malicious code, and other security interesting patterns. We are looking for folks interested in becoming expert CodeQL query authors to help us detect and eliminate vulnerabilities both within Microsoft's billions of lines of code, and in the open source software of the world. This is an opportunity to leverage your understanding of various programming languages for immense impact both within Microsoft and across the broader software ecosystem.
In this role you will contribute to CodeQL's security ruleset to proactively identify vulnerabilities across Microsoft's products and services, research new vulnerability patterns, collaborate with Microsoft Security Response Center (MSRC) to rapidly assess billions of lines of code for newly reported vulnerability variants and classes. You will also have the opportunity to research new uses for static analysis, such as back door/malicious code detection and automatic generation of fuzzing test harnesses that will broaden impact and fuel other research. Whenever we can, we open source our work and you will also be empowering the broader community of CodeQL users in GitHub and at other enterprises.
Our team is fortunate to regularly collaborate with the myriad of skilled security teams in the Microsoft product groups, the language experts in Microsoft's compiler and developer tools team, the engineers directly working on the CodeQL engine in GitHub, and response and threat intel teams charged with watching the evolution of vulnerabilities in the ecosystem. This opportunity will keep you on the frontier of the software security landscape, supported by some of the leading security experts, and in turn you will have the opportunity to support and mentor developing security experts, an explicit part of our Team's mission.
As CodeQL is a relatively young technology, no direct prior experience is expected, however we encourage you to investigate https://codeql.github.com/ prior to applying. If this is the sort of technology you would like to work on, we would like to hear from you.
Preferred work locations:
Atlanta, Georgia
Austin, Texas
Redmond, Washington
Reston, Virginia
Remote in the U.S.ResponsibilitiesKey responsibilities:

• Develop new detections for security vulnerabilities in QL, the language powering CodeQL
• Research new security vulnerability patterns, and support MSRC when new patterns are reported to them
• Research and implement novel uses of Static Analysis, and help shape the feature development in CodeQL
• Collaborate with other areas of subject matter expertise such as Responsible AI, Privacy, and Accessibility, to aid them in similarly empowering developers with high quality analysis for their areas.
• This position ideally is at least 50% in office in Redmond, WA when the pandemic subsides to reasonable levels, but more flexible work accommodations can be discussed

Qualifications Required Qualifications:

• 4+ years of experience in with one or more of the following languages: C/C++, JavaScript/TypeScript, C#, Java, Python, Go, or Ruby
• 1+ years' experience with vulnerability patterns in one or more of the following areas: system/OS/driver code, web applications and services, Windows client applications, Windows or Linux server applications, mobile applications
• Professional or Academic level experience performing security code reviews - OR - experience using static analyzers

Preferred Qaulifications:

• Familiarity with CodeQ L is great
• The ability to collaborate and communicate effectively with many different audiences
• Experience authoring detections for static analyzers or Linters
• Experience training or mentoring others
• Experience researching security vulnerability patterns

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the Accommodation request form .
Benefits/perks listed below may vary depending on the nature of your employment with Microsoft and the country where you work.