SonarSource builds world-class products for Code Quality and Security. Our open-source and commercial code analyzers – SonarLint, SonarCloud, SonarQube – support 27 programming languages, empowering dev teams of all sizes to solve coding issues within their existing workflows. With over 6,000 customers and a Community Edition trusted by more than 200,000 organizations globally, SonarSource products are a de-facto standard for teams and organizations to deliver better, safer software.
The impact you can have
You will be a trusted adviser of developers, able to provide meaningful code samples and specifications. This is a great way to have a direct impact on the product and so on the way how millions of developers produce code.
On a daily basis, you will
- Build expertise on various language ecosystems in order to identify the most common vulnerabilities that developers are facing.
- Investigate how these vulnerabilities materialize within the code.
- Define the security rule that will detect these vulnerabilities.
- Analyze open-source projects and evaluate the results of the security rules.
- Interact with our user community to clarify and turn this invaluable feedback into actions/decisions: like too noisy vulnerability detection rules or taint-analyzer reporting vulnerabilities without enough contextual information.
- Drive innovation to make our SAST engine even better.
- Study competitors and provide gap analysis.
The skills you will demonstrate
- Mastering AppSec basics, including knowing most common vulnerabilities, how to locate vulnerabilities in the code, how to exploit basic vulnerabilities. To be successful, you should be interested or involved in the application security ecosystem.
- Having a developer mindset: experience with coding lifecycle, ability to produce secure code, to do code reviews and to jump in an unknown codebase, language, framework.
- Master at least one programming language along with its development environment to understand end-users context and expectations.
- Strong communication skills, i.e. both listening and expressing constructive ideas.
- High level of autonomy and still accepting help and feedback from team members.
- Ability to work and communicate with non-security experts.
Nice to have
- Understanding of static analysis mechanisms.
- Ability to challenge rule implementation.
- Capability to bring a new field of expertise and convert it to additional value to the product.
Words from the team
We are a team of 3 AppSec Researchers with the mission to imagine, define, and maintain security rules that are used by developers around the world. We study how developers would introduce weaknesses in their applications.
We make sure that our security rules are tailor-made for the most widely used environments. We also like to look at the issues that our products find on open source projects where we chase false positives.
We are a team of passionate people that enjoy learning from each other. Every day we work at providing developers the best rules and help them own the security of their code.