Working at Project Zero


Posted by Natalie Silvanovich and Ben Hawkes, Google Project Zero
Last updated: 2019-02-20

Project Zero gets a lot of questions about careers in information security, both at Google and in industry in general. In this post, team members provide their opinions on some of our most frequently asked questions about working on Project Zero.

What are you looking for when hiring for Project Zero?

Natalie Silvanovich, Security Engineer, Project Zero:

Project Zero members spend most of their time doing vulnerability research and exploit development, so we are largely looking for people with strong skills and experience in the area. Most people hired by Project Zero have a history of publicly reporting vulnerabilities in widely used software or participating in projects related to vulnerability research.

Ben Hawkes, Manager, Project Zero:

Right, and I think we're particularly interested in security research work that shows a high amount of creativity, that demonstrates a high standard of quality/professionalism, and that the results are communicated in an effective way. Having a public portfolio of vulnerability research and exploit development work is a great way to catch the attention of Project Zero. This can also include software development work, such as creating better systems for discovering, analyzing, and exploiting vulnerabilities.

How can I develop the skills that are needed to find and exploit vulnerabilities in software?

Natalie:

Personally, I think the most important thing someone can do to get started in vulnerability research is develop strong coding skills. Understanding security bugs in software almost always requires a strong understanding of the underlying code, so improving your coding skills can be very valuable.

For someone who already has strong coding skills, there are a few ways that I know people have developed bug hunting skills. When I was starting out, I spent a lot of time reading about vulnerabilities and exploits. One of the best books I read was The Art of Software Security Assessment. It’s a few years old, but most of the content is still relevant. I also get a lot of news about security from Twitter and r/netsec. People often post articles about new and exciting vulnerabilities they’ve found.

It can also be helpful to analyze fixed vulnerabilities and understand how they work. Many open source projects have trackers where they describe the technical details of vulnerabilities, and there are a lot of bug details on the Project Zero tracker. If you are feeling enthusiastic, volunteering to fix bugs, especially memory corruption bugs in open source projects or any software you work on can be a good way to understand bugs better. Even if they don’t have a security impact, it will give you a better understanding of what can go wrong when coding.

If you work at a company that writes software, it can be helpful to track down the team that is responsible for product security. These teams often have trouble encouraging secure coding and other good security practices within the company and are happy to meet people in other roles who are interested in security and can help with this. Many companies have formal or informal “security champion” programs where members of development or test teams work with the security team to improve the security of the software they work on. This can be a good way to learn more about vulnerabilities and meet people who can help you learn more about them.

If you are looking for work, it can be a good idea to apply for some entry-level positions at security consultancies and product security teams. Some companies are willing to train people with a strong interest in security and this can be a great way to gain experience.

If you have the opportunity to attend, security conferences are a great way to learn more about vulnerability research, and meet other people who are interested in it. If not, a lot of security conferences, such as BlackHat, Defcon and Bsides share videos of their presentations. Also, a lot of security discussion groups are listed on MeetUp.com, there might be one in your area.

Ben:

I agree -- learning the fundamentals of programming, operating systems, and machine architecture is a great starting point. Studying the results of more experienced vulnerability researchers will give you an idea of what vulnerabilities look like in reality, while also exposing you to concepts like "bug classes", "attack surface", and "exploit development". From there, practice is key. Reading code to find vulnerabilities is different from just reading code to understand how it works -- the former requires purposeful adversarial thinking. Just like any other skill, you have to train your ability to spot the subtle edge cases that might represent a vulnerability.

Mateusz Jurczyk, Security Engineer, Project Zero:

Finally, Capture The Flag (CTF) competitions are another great way to learn bug hunting and exploitation skills. They are hacking contests consisting of challenges in categories such as web security, cryptography, reverse engineering, exploitation which are open to everyone. Participating as part of a team makes it easier to compete, but is not required to work on individual challenges. Both solving CTF challenges and studying other players' write-ups provide an opportunity to learn about various security topics. A complete list of ongoing and upcoming CTFs can be found at ctftime.org. The video What is CTF? provides a thorough introduction to security CTFs, as well as hints on where to start.

What are the backgrounds of people on Project Zero?

Natalie:

People on Project Zero have a lot of different backgrounds. There are people who have worked in product security for other companies, for security consultancies and for government security teams. A lot of Project Zero members were hired from other teams at Google as well.

Ben:

And some of the team have joined straight from university/school. There isn't a predefined career path overall, but we typically look for candidates with security-related practical experience.

I have experience with vulnerability research, but I don’t have any public bugs, what can I do?

Natalie:

It’s useful for candidates to have publicly reported vulnerabilities, as finding vulnerabilities internal to product development and finding bugs externally often involves different challenges. Reporting some vulnerabilities publicly before applying to Project Zero will make your application more likely to be successful. Reviewing open-source projects and participating in bug bounties can be a good way to get started with this. You see can bugs that Project Zero has filed in the past in our tracker, to get an idea of what areas we generally look for vulnerabilities in. It can also be worthwhile to ask your employer if there are any projects that involve publicly reporting vulnerabilities, such as reviewing third-party components that you can get involved in.

Also, many Project Zero members started off at other roles at Google, so another option is to apply for another security role at Google and gain experience that way.

Ben:

There's no strict rule about having public bugs to point to, but it's certainly easier to generate excitement about your work that way. Showing your technical skills via non-security projects is a good idea in this situation, and it's often possible to build a reputation as a talented security researcher even when your results can't be published. Ultimately, if you think you're qualified for the Project Zero role, it's worth applying.

I am a student/non-technical and am considering infosec as a career. How can I get into it?

Natalie:

In this article, from before I joined Google, I gave some advice for students interested in careers in security. My biggest suggestion is to learn about coding and how computers work, at school if possible, as this is very important for security and many other careers. It is also a good idea to explore different career opportunities within information security, as it is a broad field and there are a lot of options.

What is the hiring process for Project Zero?

Natalie:

Project Zero follows roughly the same hiring process that the rest of Google does. So candidates apply to our job posting, and then go through a phone interview, and then five interviews on different topics if they are successful.

Ben:

Typically a candidate can expect to encounter a mix of security focused and software engineering focused questions in the interviews.

Does Project Zero hire interns?

Natalie:

Google hires many interns for security positions, and they occasionally work with Project Zero. To apply for a security internship at Google, apply for the following position (note that applications may be closed depending on the time of year, they will open again in preparation for the summer term). Successful candidates have often publicly reported vulnerabilities or worked on interesting projects in the areas of vulnerability research, exploitation or reverse engineering, so make sure to include anything related on your resume!

This sounds great! How can I apply for a full-time position on Project Zero?

Ben:

You can apply for a full-time Project Zero researcher role using the Information Security Engineer job posting found here. Just make a note that you're interested in Project Zero!

No comments:

Post a Comment