Imagine what you can do if you can compromise the machines where Windows or Visual Studio is being built. Or where the most popular npm module or nuget package is built. You can attach your malware to popular and widely distributed software and reach millions of devices easily.
Increasingly, cyber threats are coming from such attacks on the software supply chain, which includes everything from developer machines to CI/CD pipelines, release/publish infrastructure and package managers. Every step in the supply chain offers rich targets for attackers to inject their malware into widely distributed software.
Microsoft is serious about securing our software supply chain from such attacks. We want to build multiple layers of defense against such attacks and reduce the chance that the software we ship and any external software we depend on are compromised in their supply chains.
We are looking for engineers who can help us tackle this challenge. Specifically, we are looking for someone with experience in multiple language platforms like Node.JS, Python, .NET, Java and Go. Deep understanding of how package managers work, how packages are built in various languages, how runtimes deal with versioned artifacts and how dependencies are handled would be very useful. Experience with setting up CI/CD pipelines and securing build machines is also helpful.
5+ years of experience developing commercial software with C#, C++ or Java
Bachelor's degree in Computer Science, a related technical field, or equivalent experience
Detail oriented design, coding, debugging and problem-solving skills
Strong written and verbal communication skills
Experience with Open Source Software development
Passion for quality with strong customer empathy
Ability to drive technical decisions across teams
Experience building applications in .NET, Node.JS, Python, or Java
Knowledge of software security, including threat modeling, isolation, integrity checking, and certificates
Experience with CI/CD and build pipelines
Experience with packages and package managers like npm, PyPI, NuGet, maven
You will be required to pass Microsoft background checks prior to the start of employment and periodically thereafter. Ability to meet Microsoft, customer and/or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings:
Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud background check upon hire/transfer and every two years thereafter.
Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the Accommodation request form.
Benefits/perks listed below may vary depending on the nature of your employment with Microsoft and the country where you work.
You will work with other engineers in the team to build tools and services to secure Microsoft's software supply chain, including any external dependencies. You will build mechanisms to securely build software, track chain of custody, evaluate trust of software components, transitively build dependencies, flag use of untrusted software.
You will work with multiple partner teams, internal and external and help raise Microsoft's security posture on our software supply chain. You will work with OSS communities to ensure OSS components also remain protected from attacks on their supply chain. You will work with emerging technologies and standards in this field.
Microsoft develops, licenses, and supports software, services, devices, and solutions.