Hardware Security, Lead Engineer

Department Description

As part of the Oracle Hardware Development (OHD) Hardware Engineering Organization, you will be involved in developing the next generation of Oracle hardware that underlies all of Oracle's Cloud and Enterprise platform offerings. These systems utilize leading edge technology to deliver record-breaking performance, simplified management, security, self-monitoring and diagnosis as well as cost-saving efficiencies. You will apply your expertise in detailed security evaluation of merchant silicon, your creativity in creating & driving secured and hardened platform solutions. You will collaborate across engineering development functional teams to create leading edge, cohesive and executable hardware security architectures and solutions. 

Position Overview

Our organization is looking for a highly motivated, dedicated Senior Principal Engineer to run security architecture within a hardware design organization and to develop, implement, and own the hardware design security lifecycle program from concept through development, integration, introduction to production, deployment, and end of life decommissioning.  of Cloud and Enterprise.

Qualifications:

Minimum of 8 years experience in information systems, business operations,  or related fields, at least 5 years of which must be from at least one of the following:  Information security risk management; information security program management; Industry/Government security compliance program management (ISO-27001, GDPR, HIPAA, FedRamp, etc.); threat and vulnerability management; incident management and response; security policy development and enforcement; privacy, information security education, training and awareness (ISETA), information security solutions development, etc. required. 
Strong knowledge of:  Cloud architecture and security principles.  Risk Management Frameworks.  *nix and Windows system administration.
Experience with:  Logging and log analysis.  Identity management principles and technology.
Preferred but not required qualifications include:  Bachelor-level university degree in a relevant field from an accredited university, or equivalent.  CISSP, CISM, CISA, CIPP or other equivalent certification.  Comprehensive knowledge of security design for networks, databases, infrastructure, and cloud computing.  Experience writing security incident and vulnerability reports for leadership and other stakeholders.  Ability to effectively communicate and influence secure product and network design in a collaborative environment.  Comprehensive knowledge of digital forensics.  Strong knowledge of web technologies, middleware, database, OS, firewalls, network communication protocols and methods.  Knowledge of encryption technologies and architectures.  Expert level experience in evaluating and assessing security threats across a variety of environments and industries.  Expert level understanding of secure networking principles, routers, switches and load balancers.

Responsibilities:

• Singular point-of-contact owning responsibility for every dimension of security related to Oracle-engineered hardware
• Serve as security subject matter expert for key custom hardware security components such as root-of-trust (RoT) hardware, for both peer customer organizations and the wider hardware organization
• Lead key hardware-focused security projects in conjunction with Oracle firmware and Oracle cloud teams
• Establish, maintain, and report out on the operational status on the implementation of security related features within the hardware organization, across teams
• Define, promote, and improve processes to build security into Oracle hardware designs
• Enable the hardware organization to develop deeper security expertise relevant to their roles
• Identify gaps in security features, processes, tools, and education; create and execute plans to address them
• Work closely with the wider OHD and SCO (Supply Chain Operations) virtual security team, the Chief Security Architect, and key internal and external partners on hardware matters
• Manage and review security aspects of third party components from the industry supply chain
• Establish and/or participate (as needed) in PSIRT (Product Security Incident Response Team) relationships with key Oracle hardware suppliers and partners
• Work with Oracle manufacturing teams to ensure that Oracle hardware is secure by default

What This Role Looks Like

• Work directly with hardware design and development teams on architecture, implementation, deployment, and troubleshooting of server hardware security designs and architectures.
• Develop, implement, own, and run the day-to-day execution of a security review program and process that is "baked-in" to the hardware design process, and conduct security reviews on system schematics and layouts as necessary along the development process, intercepting with reviews and security focused recommendations as early as feasible.
• Work closely and collaborate with other security points of contact inside and outside of the business unit, who cover areas of responsibility including BMC software stacks, system firmware, custom security hardware & firmware, cloud infrastructure security features, and more, as well as inter- and intra-org security architects.
• Develop and deliver informational & educational content on security topics, with a focus on hardware security and enabling hardware designers & developers at all levels within the org to think security” in a practical way in their daily roles.
• Own and operate a long-term educational outreach program within the Hardware Design & Development organization that continues to raise the level of security awareness of all team members, as well as equips them with self-driven security analysis and skills relevant to their role. Coordinate with team leads, management, external training and educational service vendors, etc.

Required Qualifications

• Experience with the architecture, design, and implementation of modern server platforms consisting of multiple architectures and vendors, including, but not limited to, x86 (with both Intel and AMD parts) and ARM server architectures.
• Hands-on experience in an adversarial hardware security domain as applied to servers/systems, CPU architecture, modern compute infrastructure management subsystems, embedded systems, etc.
• Experience with understanding, analyzing, and communicating hardware security vulnerabilities, attacks, and research to hardware design communities and audiences, consisting of varied roles and responsibilities (e.g., architects, senior designers, junior design staff, technicians, etc.).
• Hands-on experience with hardware design (architecture, schematic capture, board layout, interacting with suppliers & contract manufacturers, etc.).

Preferred Qualifications

• Reverse engineering experience in an applied security context, especially as applied to hardware level security.
• Experience and demonstrated low-level knowledge of non-volatile memory technologies "low-level" system component interfaces, including, but not limited to, e.g.: NAND flash, NOR flash, SPI, I2C (incl. SMBus, PMBus), LPC, eSPI, etc.
• Experience with hardware level diagnostics and debugging, including early stage bring-up and power-on, platform firmware debugging, CPU complex/memory complex debugging and introspection, JTAG, etc. Comfortable with the use of hardware debuggers.
• Experience with platform level security technologies, including but not limited to secure boot (e.g., UEFI Secure Boot, Intel Boot Guard, measured boot, verified boot, etc.); platform firmware security architectures, roots of trust, and “T minus 1” designs (e.g., Cerberus, Nitro, Titan, OpenTitan, Intel PFR, etc.); Trusted Execution Environments (TEE; e.g., SGX, TrustZone, SEV, etc.); TPM, remote attestation (e.g., TXT, SKINIT); memory encryption (e.g., Total Memory Encryption [TME], Secure Memory Encryption [SME]).
• Experience in security assessment of firmware, ideally paired with experience of developing and debugging firmware.
• FPGA implementation experience. Use of FPGAs in a hardware design context, and/or RTL/gateware implementation.