Static Code Analysis – Appsec Researcher

SonarSource builds world-class products for Code Quality and Security. Our open-source and commercial code analyzers – SonarLint, SonarCloud, SonarQube – support 27 programming languages, empowering dev teams of all sizes to solve coding issues within their existing workflows. With over 6,000 customers and a Community Edition trusted by more than 200,000 organizations globally, SonarSource products are a de-facto standard for teams and organizations to deliver better, safer software.

The impact you can have

As an AppSec Researcher, you play a central role to realize our ambition to provide the best SAST solution on the market. Like us, you believe that application security is not the responsibility of a few experts and that developers can have the biggest impact when they get the right information at the right time. As a member of the AppSec team, you work closely with static analysis developers to specify, clarify, communicate, and validate all functional aspects. You won’t be a developer writing and implementing security rules, nor a pure vulnerability hunter. You will rather be a trusted adviser of developers able to provide meaningful code samples and specifications. This is a great way to have a direct impact on the product and so on the way how millions of developers produce code.

On a daily basis, you will

• Run research on specific domains and become an expert to provide and improve our rule specifications
• Analyze open-source projects and evaluate the results of the security rules
• Interact with our user community to clarify and turn this invaluable feedback into actions/decisions: like too noisy vulnerability detection rules or taint-analyzer reporting vulnerabilities without enough contextual information
• Drive innovation to make our SAST engine even better
• Study competitors and provide gap analysis

The skills you will demonstrate

Technical skills

• Mastering AppSec basics, including knowing most common vulnerabilities, how to locate vulnerabilities in the code, how to exploit basic vulnerabilities. To be successful, you should be interested or involved in the application security ecosystem.
• Having a developer mindset: experience with coding lifecycle, ability to produce secure code, to do code reviews, and to jump in an unknown codebase, language, framework.
• Master at least one programming language along with its development environment to understand end-users context and expectations.

Soft skills

• Strong communication skills, i.e. both listening and expressing constructive ideas
• High level of autonomy and still accepting help and feedback from team members
• Ability to work and communicate with non-security experts

Nice to have

• Understanding of static analysis mechanisms
• Ability to challenge rule implementation
• Capability to bring a new field of expertise and convert it to additional value to the product

Words from the team

We are a team of 3 AppSec Researchers with the mission to imagine, define, and maintain security rules that are used by developers around the world.

We study how developers would introduce weaknesses in their applications.

We make sure that our security rules are tailor-made for the most widely used environments. We also like to look at the issues that our products find on open source projects where we chase false positive and exploitable vulnerabilities.

We are a team of passionate people that enjoy learning from each other. Everyday we work at providing developers the best rules and help them own the security of their code.