Posted On May 13

Internet of Things (IoT) Device Security Evaluator


Location : Ottawa, ON

Headquarters : London

Hiring Mode : Full Time

Hiring Role : Security/Audit/Risk Engineer

Experience : Mid Level

Ottawa, ON
Full Job Description
An IoT Device Security Evaluator is involved with evaluations of devices to various IoT, medical, and industrial security requirements including:
  • Intertek Cyber Assured
  • California SB-327
  • IEC 62443
  • UL 2900
  • ETSI EN 303 645
  • Various other programs
Evaluations can include the following types of assessments:
  • Vulnerability assessment and penetration testing (device, infrastructure, and web app)
  • Malformed input (i.e., fuzzing)
  • Secure boot/update
  • Firmware/OS hardening
  • Mobile application testing (e.g., OWASP MASVS/MSTG)
  • Policy, process, and procedure review
  • Cryptographic key management
  • Source-code review
  • Secure software development lifecycle
  • Reverse engineering
  • It is expected that a candidate will have expertise in a few of the above areas with at least an interest in the remaining areas. Skills in the remaining areas can be gained through on-the-job training.
  • Device security analysis and assessments can require the use or knowledge of:
  • Networking protocols (e.g., Ethernet/IP/TCP/UDP/TLS)
  • Wireless protocols (e.g., WiFi, Bluetooth, Zigbee/Z-Wave)
  • Application protocols (e.g., HTTP, SSH)
  • Local interfaces (e.g., USB, UART, I2C/SPI, RFID/NFC)
File formats
  • Secure coding and common weaknesses
  • iOS and Android application protections
  • Windows, Linux, and Mac operating systems
  • The work is being done on client devices and as such, communicating the results of testing is necessary and done through technical reports. In order to produce high quality reports, the following is needed:
  • Attention to detail including consistency and completeness
  • Ability to communicate effectively in English
  • Good use of figures, images, and tables
  • Effective use of the Office suite (Word and Excel in particular)
Additional skills that are sought in a candidate include:
  • Communicating and working effectively within a small team
  • Communicating with clients
  • Managing time on multiple concurrent projects
  • Being able to work in a shared lab environment
  • Being able to work independently
  • Being able to identify and understand limitations in tests
  • Being able to come up with new test plans or improvements on existing test plans
  • For this position, work is a hybrid model where device evaluations are to be done in the office, some remote work is available for other job responsibilities, with potential for on-site client visits. In addition to the assessment work, there will be opportunities to develop and deliver training and consulting to clients, which could be done virtually or on-site. While the position is for the IoT area of the company, work in other related areas of the company (e.g., Payment security) may be assigned as needed.
  • The work requires a mixture of software (firmware/OS level) and communications knowledge. An understanding of hardware in IoT/embedded applications is not necessary, but an interest in these areas is a plus. A post-secondary degree or diploma, or equivalent work experience is needed for this position. Candidates should be eligible to obtain a Government of Canada SECRET level clearance (e.g., 10 years verifiable history).