We are seeking a Principal Security Engineer to help us build out the most ambitious and advanced static analysis solution in the world, empowering us to centrally search across all of Microsoft’s code for security vulnerabilities, malicious code, and other security interesting patterns. We are looking for individuals interested in becoming expert CodeQL query authors to help us detect and eliminate vulnerabilities both within Microsoft’s billions of lines of code, and in the open-source software of the world. This is an opportunity to leverage your understanding of various programming languages for immense impact both within Microsoft and across the broader software ecosystem.
The mission of Microsoft Digital Security & Resilience (DSR) is to enable Microsoft to build the most trusted devices and services, while keeping our company safe and our data protected. As part of the Microsoft Security organization, and a steward of Microsoft and our customer’s data, a core function of Microsoft DSR is ensuring the security of every aspect of the business. Microsoft DSR is responsible for company-wide information security and compliance, with a strategic focus on information protection, assessment, awareness, governance, and enterprise business continuity. As customer zero, we deploy and secure these services inside Microsoft and then share best practices with enterprise customers at scale across the globe. We have exciting opportunities for you to innovate, influence, transform, inspire, and grow within our organization and we encourage you to apply to learn more!
In this role you will contribute to CodeQL’s security ruleset to proactively identify vulnerabilities across Microsoft’s products and services, research new vulnerability patterns, collaborate with Microsoft Security Response Center (MSRC) to rapidly assess billions of lines of code for newly reported vulnerability variants and classes. You will also have the opportunity to research new uses for static analysis, such as back door/malicious code detection and automatic generation of fuzzing test harnesses that will broaden impact and fuel other research. Whenever we can, we open source our work and you will also be empowering the broader community of CodeQL users in GitHub and at other enterprises.
Our team is fortunate to regularly collaborate with the myriad of skilled security teams in the Microsoft product groups, the language experts in Microsoft’s compiler and developer tools team, the engineers directly working on the CodeQL engine in GitHub, and response and threat intel teams charged with watching the evolution of vulnerabilities in the ecosystem. This opportunity will keep you on the frontier of the software security landscape, supported by some of the leading security experts, and in turn you will have the opportunity to support and mentor developing security experts, an explicit part of our Team’s mission.
As CodeQL is a relatively young technology, no direct prior experience is expected, however we encourage you to investigate https://codeql.github.com/ prior to applying. If this is the sort of technology you would like to work on, we would like to hear from you.
Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others, and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.

REQUIRED QUALIFICATIONS:

• Bachelor’s Degree in Statistics, Mathematics, Computer Science, Risk Management, Cyber Security, or related field or extensive experience in software development lifecycle, large scale computing, modeling, cyber security, anomaly detection
• OR equivalent experience.
• Experience in collaborating and communicating effectively with many different audiences.
• Strong experience with C/C++ and familiarity with one or more of the following: Rust, C#, JavaScript/TypeScript, Java, Kotlin, Python, Go, Swift, or Ruby. Should be able to describe in depth the semantics of the language.
• Familiarity with vulnerability patterns in one or more of the following areas: system/OS/driver code, web applications and services, Windows client applications, Windows or Linux server applications, mobile applications.
• Experience with static analysis, symbolic execution, or comparable code analysis technologies.

PREFERRED QUALIFICATIONS:

• Master’s Degree in Statistics, Mathematics, Computer Science, Risk Management, Cyber Security, or related field and extensive experience in software development lifecycle, large scale computing, modeling, cyber security, anomaly detection
• Certified Information Systems Security Professional (CISSP) Certification, Security+ Certification, or relevant certification.
• Familiarity with CodeQL is great (you are going to be working with it a lot, so we highly recommend spending some time playing with it to see if that is what you want for your career)
• Experience authoring detections for static analyzers or Linters.
• Experience training or mentoring others.
• Experience researching security vulnerability patterns.
  

  CodeQL #SecurityAnalysis #StaticAnalysis #DSR #MSFTSecurity

Microsoft is an equal opportunity employer. Consistent with applicable law, all qualified applicants will receive consideration for employment without regard to age, ancestry, citizenship, color, family or medical care leave, gender identity or expression, genetic information, immigration status, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran or military status, race, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable local laws, regulations and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application process, read more about requesting accommodations

• Develop new detections for security vulnerabilities in QL, the language powering CodeQL
• Research new security vulnerability patterns, and support MSRC when new patterns are reported to them
• Research and implement novel uses of Static Analysis, and help shape the feature development in CodeQL
• Collaborate with other areas of subject matter expertise such as Responsible AI, Privacy, and Accessibility, to aid them in similarly empowering developers with high quality analysis for their areas.
• The team is primarily US based, though collaborates with the core CodeQL product team primarily based in Western Europe. The position can be fully remote; however, the candidate is expected to have a workday that overlaps with the morning and early afternoon Pacific time.