Security Engineer

Information Security Specialist San Diego, California, United States

Profile
Contacts

Summary

Security Engineer TuSimple, San Diego, CA, 2022-present
Own SDLC Security
Developed roadmap and created SDLC security policies (including OSS security policy and vulnerability management policy).
Conducted a thorough evaluation of the existing security toolchain encompassing OSS security scanning (or SCA), SAST (static analysis),
and docker image scanning.
Created criteria lists and applied criteria to evaluate multiple SDLC security tooling options/vendors(Whitesource, Snyk, Sonatype).
Conducted POCs (Proof of Concept) with external vendors and contributed to the tool selection process for a new OSS security tool that
was better aligned with company needs.
Collaborated with infrastructure teams to deploy and integrate the tool with platforms such as Jenkins, GitHub, IDE, etc.
Ensured adherence to security policies by leveraging the selected tool and collaborated with developers on security vulnerability
remediation. Sometimes needed to verify the exploitability of CVEs and demonstrated findings to the team.
Web & API Security
Conducted security assessments and performed bug hunting (OWASP Top10) on internal web applications (e.g., fleet control center).
Created reports summarizing findings and presented the results to product teams during readout meetings. Collaborated with product teams
on vulnerability triage and remediation.
Conducted a security design review of the API gateway designed for external customer use and developed security requirements for its
secure implementation. Assessed the design and implementation of company-wide Authentication and Authorization solution (OAuth
based), identified security concerns, and documented the security risks.
Key & Secret Management
Participated in the review of the companys PKI design, vendor selection process, and key ceremony. Maintained and managed a tool
responsible for issuing OpenSSH certificates to company users, enabling remote access through SSH Certificate-based authentication.
Security Engineer Intern - TuSimple, San Diego, CA, Summer 2021
Acquired proficiency in utilizing DAST tools (e.g., Address Sanitizer, Valgrind)to perform dynamic analysis on open-source and in-house
C/C++ applications.
Identified and mitigated memory bugs such as stack/heap overflows, memory leaks, and other memory-related vulnerabilities. Conducted
code audit to validate the presence of potential bugs in the code.
Generated detailed bug reports for identified issues with open-source libraries (e.g., OpenCV) and in-house applications. Communicated
findings and fix recommendations to the community or internal developers

Expectations

I have been studying or working in security for 5+ years as a student or as a fulltime engineer and my passion is still in security. I would be interested in any opportunity that's related to security and would like give it a try