SonarSource builds world-class products for Code Quality and Security. Our open-source and commercial code analyzers - SonarLint, SonarCloud, SonarQube - support 27 programming languages, empowering dev teams of all sizes to solve coding issues within their existing workflows. With over 6,000 customers and a Community Edition trusted by more than 200,000 organizations globally, SonarSource products are a de-facto standard for teams and organizations to deliver better, safer software.
The impact you can have
As an AppSec Researcher, you play a central role to realize our ambition to provide the best SAST solution on the market. Like us, you believe that application security is not the responsibility of a few experts and that developers can have the biggest impact when they get the right information at the right time. As a member of the AppSec team, you work closely with static analysis developers to specify, clarify, communicate, and validate all functional aspects. You won’t be a developer writing and implementing security rules, nor a pure vulnerability hunter. You will rather be a trusted adviser of developers able to provide meaningful code samples and specifications. This is a great way to have a direct impact on the product and so on the way how millions of developers produce code.
On a daily basis, you will
- Run research on specific domains and become an expert to provide and improve our rule specifications
- Analyze open-source projects and evaluate the results of the security rules
- Interact with our user community to clarify and turn this invaluable feedback into actions/decisions: like too noisy vulnerability detection rules or taint-analyzer reporting vulnerabilities without enough contextual information
- Drive innovation to make our SAST engine even better
- Study competitors and provide gap analysis
The skills you will demonstrate
Technical skills
- Mastering AppSec basics, including knowing most common vulnerabilities, how to locate vulnerabilities in the code, how to exploit basic vulnerabilities. To be successful, you should be interested or involved in the application security ecosystem.
- Having a developer mindset: experience with coding lifecycle, ability to produce secure code, to do code reviews, and to jump in an unknown codebase, language, framework.
- Master at least one programming language along with its development environment to understand end-users context and expectations.
Soft skills
- Strong communication skills, i.e. both listening and expressing constructive ideas
- High level of autonomy and still accepting help and feedback from team members
- Ability to work and communicate with non-security experts
Nice to have
- Understanding of static analysis mechanisms
- Ability to challenge rule implementation
- Capability to bring a new field of expertise and convert it to additional value to the product
Words from the team
We are a team of 3 AppSec Researchers with the mission to imagine, define, and maintain security rules that are used by developers around the world.
We study how developers would introduce weaknesses in their applications.
We make sure that our security rules are tailor-made for the most widely used environments. We also like to look at the issues that our products find on open source projects where we chase false positive and exploitable vulnerabilities.
We are a team of passionate people that enjoy learning from each other. Everyday we work at providing developers the best rules and help them own the security of their code.
Why you will love it here
- Safe work culture
We value respect, kindness, and the right to fail. - Flexible hours
We schedule our days in order to be effective at work, while also being able to enjoy life’s important moments. - Great people
We value people skills as much as technical skills and strive to keep things friendly and laid back. Still, that does not prevent us to be passionate and leaders in our domains. Our 100+ SonarSourcers from 20 different nationalities can relate! - Work-life balance
Keeping a healthy work-life balance is important. Which is why some people prefer working some days work from home. - Always keep learning
In an ever-changing industry, learning new skills is a must, and we're happy to help our team to acquire them.
What we do
SonarSource was started by a team of developers that wanted to change the way code is built in an agile development process. The company was created to develop the open-source tool SonarQube, which is now the standard in code quality management with over 190,000 instances deployed today. Every day we are focused on solving developers’ next big problem.
Who we are
At SonarSource we believe in people, excellence, and delivery. We’re a team of problem solvers and overachievers who seek out others who are also passionate and relentless in their respective missions. We want to work with people who are ready to fasten their seat belts and be part of an incredible ride. We work hard not because we’re told to, but because we genuinely love what we do and do what we love. If there’s one main message we want you to remember about us, it’s that we push others to be best in class at whatever they do: choose your battle, innovate, take risks, and lead change. Join us; we’ll be smarter and stronger together.