AppSec Researcher

Sonar’s industry-leading solution enables developers and development teams to write clean code and remediate existing code organically, so they can focus on the work they love and maximize the value they generate for businesses. Its open-source and commercial solutions – SonarLint, SonarCloud, and SonarQube – support 30 programming languages. Trusted by more than 400,000 organizations globally, Sonar is considered integral to delivering better software.

 

As an AppSec Researcher, you play a central role in realizing our ambition to provide the best SAST solution on the market. Like us, you believe that application security is not the responsibility of a few experts and that developers can have the biggest impact when they get the right information at the right time. 

 

As a member of the AppSec team you decide what security issues the product should detect and how they materialize in various language ecosystems. You work closely with static analysis developers to specify, clarify, communicate, and validate all functional aspects of the security rules. 

 

You will be a trusted adviser of developers, able to provide meaningful code samples and specifications. This is a great way to have a direct impact on the product and so on the way millions of developers produce code.

On a daily basis, you will

• • Build expertise on various language ecosystems in order to identify the most common vulnerabilities that developers are facing.
  • Investigate how these vulnerabilities materialize within the code.
  • Define the security rule that will detect these vulnerabilities.
  • Analyze open-source projects and evaluate the results of the security rules.
  • Interact with our user community to clarify and turn this invaluable feedback into actions/decisions: like too noisy vulnerability detection rules or taint-analyzer reporting vulnerabilities without enough contextual information.
  • Drive innovation to make our SAST engine even better.
  • Study competitors and provide gap analysis.

The skills you will demonstrate

• • • Mastering AppSec basics, including knowing most common vulnerabilities, how to locate vulnerabilities in the code, how to exploit basic vulnerabilities. To be successful, you should be interested or involved in the application security ecosystem.
    • Having a developer mindset: experience with coding lifecycle, ability to produce secure code, to do code reviews and to jump in an unknown codebase, language, framework.
    • Master at least one programming language along with its development environment to understand end-users context and expectations.

• • • Strong communication skills, i.e. both listening and expressing constructive ideas.
    • High level of autonomy and still accepting help and feedback from team members.
    • Ability to work and communicate with non-security experts.

• • Understanding of static analysis mechanisms.
  • Ability to challenge rule implementation.
  • Capability to bring a new field of expertise and convert it to additional value to the product.

We are a team of 3 AppSec Researchers with the mission to imagine, define, and maintain security rules that are used by developers around the world. We study how developers would introduce weaknesses in their applications. 

 

We make sure that our security rules are tailor-made for the most widely used environments. We also like to look at the issues that our products find on open source projects where we chase false positives.

 

We are a team of passionate people that enjoy learning from each other. Every day we work at providing developers the best rules and help them own the security of their code.

 

• Safe work culture - we value respect, kindness, and the right to fail.

• Flexible hours - we schedule our days in order to be effective at work, while also being able to enjoy life’s important moments.

• Great people - we value people skills as much as technical skills and strive to keep things friendly and laid back. Still, that does not prevent us to be passionate leaders in our domains. Our 300+ SonarSourcers from 33 different nationalities can relate!

• Work-life balance - keeping a healthy work-life balance is important. This is why we have a hybrid work policy and some people prefer working some days from home.

• Always keep learning - in an ever-changing industry, learning new skills is a must, and we're happy to help our team to acquire them.

 

Sonar was started by a team of developers that wanted to change the way code is built in an agile development process. The company was created to develop the open-source tool SonarQube, which is now the standard in code quality management with over 350,000 instances deployed today. Every day we are focused on solving developers’ next big problem.

 

Who we are

 

At Sonar we believe in people, excellence, and delivery. We’re a team of problem solvers and overachievers who seek out others who are also passionate and relentless in their respective missions. We want to work with people who are ready to fasten their seat belts and be part of an incredible ride. We work hard not because we’re told to, but because we genuinely love what we do and do what we love. If there’s one main message we want you to remember about us, it’s that we push others to be best in class at whatever they do: choose your battle, innovate, take risks, and lead change. Join us; we’ll be smarter and stronger together.

 

If this sounds like you, apply now!