Have you ever wondered what it’s like to work in the NCSC Vulnerability Research team, and how it compares to working in industry? Read on to find out… (Spoiler alert – we’re hiring!)
Wait, NCSC does vulnerability research?
Sure we do! We’re regularly asked by parts of the UK government for advice on what new technologies to use, how to respond to the latest bug (complete with scary logo and website), or what phone to take abroad.
And while you can find various (and often conflicting) answers to these questions in vendor marketing material (or your favourite Stack Overflow post), the only way to really know for sure is to ask a team of experts to find out. That’s where we come in.
There are a number of benefits to having this expertise in house. It makes the NCSC better informed about the security of technologies, and the difficulty of finding vulnerabilities in the latest and greatest software products.
We also have a strong and steadily growing reputation that prides itself on ‘quality over quantity’ in respect of the vulnerabilities we find and disclose. We don’t play the numbers game with CVEs; we just make sure that when disclosing a vulnerability, we give the affected vendor a comprehensive and high-quality report, and act professionally throughout the disclosure process.
Having this wealth of knowledge within the team makes it a perfect environment for training. We regularly attend training courses, run internal “Capture The Flag” competitions and keep each other updated on the interesting developments in our fields. When a particularly interesting public vulnerability is released, we will take the time to understand it fully, and make sure that we’ve identified any new patterns we can look for in our own work. Most importantly, the timescales we conduct our research is usually measured in years – not weeks or months, so we invest heavily in developing our skills to ensure we reach the levels of understanding required to give clear, reliable advice.
What is it like to work in VR at the NCSC?
We do our best to create the ideal environment to conduct research. We have a decent-sized team of researchers working from our Cheltenham headquarters in an environment that is strongly focused on researchers needs, which includes multi-monitor setups, powerful computers and noise cancelling headphones.
To give you more of an idea of what it’s like to work in VR at the NCSC, we asked Jon and Rich, two of our more senior researchers, to describe a typical day.
Jon B: “We’re trusted to manage our time effectively”
I’m Jon, and I work as a Senior Vulnerability Researcher at the NCSC. I joined in 2014, and I want to tell you a little bit about my job and my experience of applying to work at the NCSC after several years in industry.
How did you join the NCSC?
I studied computer security as an undergraduate and for my masters, before spending five years in industry, primarily working in penetration testing and security research.
Prior to joining the NCSC I was Head of Research for a well-respected UK company, where I was fortunate to spend a majority of my time performing research for clients, and presenting my findings at conferences. My first exposure to the work of the NCSC was at an industry conference, where Rob T (who runs the VR team) gave a talk about the work the NCSC do, specifically around their research and guidance. Before then, I hadn’t really considered the NCSC a place to conduct VR, and I wasn’t really sure quite what they did. The hope is that blog posts like this will help to shed some light on this.
After chatting to Rob, it was clear that there were some really interesting projects that I wanted to be a part of. I applied soon after we met, and while the application process is lengthy (my security clearance took around 9 months to come through), the wait was worth it.
What do you actually do all day?
As a senior researcher, I spend a vast majority of my time doing deep technical work, with a strong focus on source code review, fuzzing and tool development. I lead our long-term research into web browser security, and contribute heavily to our vulnerability disclosures, many of which are publicly credited to the NCSC. Due to the fast rate of change in web browsers, I spend a lot of my time reading about the latest advances in JIT optimisations, or attempts at a parallel DOM implementation. I also keep up to date with the security promises provided by new programming languages, for example Mozilla’s work on Rust (we hope to publish another blog post soon detailing this). I am a technical mentor to a couple of members of staff, and I am currently developing a training course on JavaScript engine internals.
What led you to join the NCSC?
What attracted me most to working at the NCSC was the lack of many of the commercial pressures associated with VR in industry. As with most forms of research, VR is not time-bounded and it’s hard to measure progress concretely. This is especially true in consultancy environments, which usually operate on the idea of chargeable and non-chargeable time (where VR almost always falls into non-chargeable time). In the VR team we don’t have the concept of utilisation and we’re trusted to manage our time effectively. We conduct long-term research on topics that feed our inquisitive natures, which keep us focused and interested. This is a benefit that I feel is impossible to get anywhere else. It helps build our skills and enables us to invest in innovative approaches to VR which aren’t viable anywhere else.
The VR team has a reputation for attracting and retaining very talented and motivated researchers, many of whom are completely unknown in the public security community. I believe this is due to the long-term nature of our projects, great support for training and skills development, the strong belief in the motivations behind our work and salaries that are very competitive with the private sector.
Rich T: “We’re given quite a lot of freedom to personalise our role”
I’m Rich, and I’m a Principal Vulnerability Researcher at the NCSC.
How did you join the NCSC?
I joined GCHQ as a graduate in 2005. I ended up being a vulnerability researcher sort of by accident. When I joined, there wasn’t really any public acknowledgement that we conducted vulnerability research. Until I was invited to a familiarisation visit, I actually expected to be working on something completely different, as I’d completed a year in industry working on radar simulations. GCHQ spotted that I had a relevant final year project from my computer engineering degree, where I’d designed and built a new ARM-based teaching board, and put together a GCC tool chain for it. I ended up working on finding vulnerabilities in network infrastructure devices, where I got to work on some really interesting projects (like testing some of the network devices that made up the core of the UK internet at that time).
After 5 years covering a range of related work, I decided I needed some wider experience and left GCHQ to work for a big US-based software developer. I got a lot out of that experience, but a couple of years ago I was persuaded to come back as one of the NCSC’s principal researchers, initially working on our Cloud Security Guidance, but then returning full time to vulnerability research.
What do you actually do all day?
As a principal researcher, my job is quite varied, we’re given quite a lot of freedom to personalise our role, and it’s important to me to spend the majority of my time doing technical research work. On the technical side, I’m responsible for our dynamic analysis research; figuring out how we can instrument and interact with programs to find and triage vulnerabilities. On the non-technical front, I’m responsible for line managing two other researchers, for recruitment into the VR team and I share deputising for our team tech director roughly one week in four.
So a typical week for me might involve:
- a day working at home testing a new public domain fuzzer, or working on the infrastructure as code tools we use to run our compute and fuzzing infrastructure
- a couple of days working on my main technical project, which is working out how we can detect subtle heap errors by applying AddressSanitizer style instrumentation in software which we can’t build ourselves
- helping out a colleague with using our dynamic analysis tools and preparing for an internal training course we’re running later in the year
- reviewing some CVs and checking up with our support team on how our various different recruitment campaigns are progressing
What led you to re-join the NCSC?
There are lots of commercial and academic organisations conducting vulnerability research and other cyber security work, so why did I return to the NCSC?
I like the challenge of working in a really capable team. We have a really excellent team of researchers, it helps me to keep my work relevant and to learn from people who are better than I am. We’re really serious about helping people develop, and I like contributing to that development, through being a manager and technical mentor, and learning from the others around me.
I like being able to commit to long-term difficult research problems. We take a considered approach to our research planning, and don’t get as side-tracked by short term pressures that you often see in our commercial equivalents. We’re also serious about being a decent place to work and work/life balance. We do have our share of civil service paperwork, but we also have the opportunity to work flexibly and are encouraged to have a life outside work.
And finally, as a member of the intelligence community, I get to see things that only the NCSC can do, that are (to borrow a phrase from our NCSC Technical Director Ian Levy) “euphemistic by design“.
Sounds great, how do I apply?
If you graduate shortly, or have some industry experience, take a look at our researcher role. Perhaps you’re looking to move from a developer to a more research-focused role?
If you’ve more practical security research experience in a commercial or academic research setting I’d encourage you to take a look at our senior researcher role.
Hopefully you will notice that we don’t put a long list of technical requirements in our job adverts. We don’t expect you to recite the Intel programmers manual from memory while juggling (although it would make for a very impressive interview ). The key requirements we have are a strong desire for a deep knowledge about new and emerging technologies, and (due to the sensitivities of some of our work), the ability to obtain UK DV security clearance.
What if I don’t have the level of experience described in your job ads?
No problem! We have people who have joined after years working in industry, working alongside people who completed a summer placement with us (and continued their work after graduating). There are many ways to start your path to a career at the NCSC. If you’re still at school, college or university you should check out our CyberFirst competitions, summer schools, bursaries and our apprentice scheme.
Jon B and Rich T
Senior Vulnerability Researcher & Principal Vulnerability Researcher at the NCSC
Source: National Cyber Security Centre