SonarSource builds world-class products for Code Quality and Security. Our open-source and commercial code analyzers - SonarLint, SonarCloud, SonarQube - support 27 programming languages, empowering dev teams of all sizes to solve coding issues within their existing workflows. With over 6,000 customers and a Community Edition trusted by more than 200,000 organizations globally, SonarSource products are a de-facto standard for teams and organizations to deliver better, safer software.
Your profile
You are a developer and you know secure coding practices. You have a growing interest in application security and you would like to share your knowledge and expertise with other developers. Like us, you believe that application security is not the responsibility of a few experts and that developers can have the biggest impact when they get the right information at the right time
The impact you can have
As an AppSec Researcher, you play a central role in realizing our ambition to provide the best SAST solution on the market. You decide what security issues the product should detect and how they materialize in various language ecosystems. You work closely with static analysis developers to specify, clarify, communicate, and validate all functional aspects of the security rules.
You will be a trusted adviser of developers, able to provide meaningful code samples and specifications. This is a great way to have a direct impact on the product and so on the way millions of developers produce code.
On a daily basis, you will
- Build expertise on various language ecosystems in order to identify the most common vulnerabilities that developers are facing.
- Investigate how these vulnerabilities materialize within the code.
- Define the security rule that will detect these vulnerabilities.
- Analyze open-source projects and evaluate the results of the security rules.
- Interact with our user community to clarify and turn this invaluable feedback into actions/decisions: like too noisy vulnerability detection rules or taint-analyzer reporting vulnerabilities without enough contextual information.
- Drive innovation to make our SAST engine even better.
- Study competitors and provide gap analysis.
The skills you will demonstrate
Technical skills
- Mastering AppSec basics, including knowing most common vulnerabilities, how to locate vulnerabilities in the code, how to exploit basic vulnerabilities. To be successful, you should be interested or involved in the application security ecosystem.
- Having a developer mindset: experience with coding lifecycle, ability to produce secure code, to do code reviews and to jump in an unknown codebase, language, framework.
- Master at least one programming language along with its development environment to understand end-users context and expectations.
Soft skills
- Strong communication skills, i.e. both listening and expressing constructive ideas.
- High level of autonomy and still accepting help and feedback from team members.
- Ability to work and communicate with non-security experts.
Nice to have
- Understanding of static analysis mechanisms.
- Ability to challenge rule implementation.
- Capability to bring a new field of expertise and convert it to additional value to the product.
Words from the team
We are a team of 3 AppSec Researchers with the mission to imagine, define, and maintain security rules that are used by developers around the world. We study how developers would introduce weaknesses in their applications.
We make sure that our security rules are tailor-made for the most widely used environments. We also like to look at the issues that our products find on open source projects where we chase false positives.
We are a team of passionate people that enjoy learning from each other. Every day we work at providing developers the best rules and help them own the security of their code.
Why you will love it here
- Safe work culture:
we value respect, kindness, and the right to fail.
- Flexible hours:
we schedule our days in order to be effective at work, this is why some people prefer to work from home one day per week.
- Great people:
we value people skills as much as technical skills and strive to keep things friendly and laid back. Still, that does not prevent us to be passionate leaders in our domains. Our 200+ SonarSourcers from 27 different nationalities can relate!
- Work-life balance:
keeping a healthy work-life balance is important while also being able to enjoy life’s important moments.
- Always keep learning:
in an ever-changing industry, learning new skills is a must, and we're happy to help our team to acquire them.
What we do
SonarSource was started by a team of developers that wanted to change the way code is built in an agile development process. The company was created to develop the open-source tool SonarQube, which is now the standard in code quality management with over 190,000 instances deployed today. Every day we are focused on solving developers’ next big problem.
Who we are
At SonarSource we believe in people, excellence, and delivery. We’re a team of problem solvers and overachievers who seek out others who are also passionate and relentless in their respective missions. We want to work with people who are ready to fasten their seat belts and be part of an incredible ride. We work hard not because we’re told to, but because we genuinely love what we do and do what we love. If there’s one main message we want you to remember about us, it’s that we push others to be best in class at whatever they do: choose your battle, innovate, take risks, and lead change. Join us; we’ll be smarter and stronger together.