Detection Tooling on Apple Silicon
Job Description
Summary
The Detection team within Apple Services Engineering (ASE) is responsible for creating advanced detections for approximately three quarters of Apple’s systems and services. We accomplish that by partnering closely with engineering teams to develop a deep technical understanding of how the systems work and to gain comprehensive understanding of threat vectors that enable building cutting edge security detections. One specific area of the team’s focus is detections for Private Cloud Compute (https://security.apple.com/blog/private-cloud-compute) that was announced at WWDC 2024 and runs on Apple Silicon servers. To improve detections on Apple Silicon servers, we are seeking an extraordinary Software Developer. The ideal candidate will be able to thrive in an environment that requires both coding skills to rapidly build features and advanced interpersonal skills to collaboratively determine features that are most important to build. This role will leave a lasting impact on Apple’s security posture, and by extension the security posture of billions of customers across the world.
Description
As part of the ASE Detection Team, you will develop software to run on Apple Silicon that will enable creation of advanced detections.
Specifically, you will:
Partner with teams across Apple to determine “what to build” and prioritize a feature roadmap. This will be about 10% of your time.
Write Swift code. Deliver production grade fully working software, including robust test/release. This will be about 70% of your time.
Support emergent operational work (SRE escalated production impacts from your code, consult on detection ideation, implement detections, assist in security investigations, etc). Engagement in this work, often outside the normal comfort zone, ensures that your software development efforts truly meet the needs of Apple’s internal customers/stakeholders. This will be about 20% of your time.
Specifically, you will:
Partner with teams across Apple to determine “what to build” and prioritize a feature roadmap. This will be about 10% of your time.
Write Swift code. Deliver production grade fully working software, including robust test/release. This will be about 70% of your time.
Support emergent operational work (SRE escalated production impacts from your code, consult on detection ideation, implement detections, assist in security investigations, etc). Engagement in this work, often outside the normal comfort zone, ensures that your software development efforts truly meet the needs of Apple’s internal customers/stakeholders. This will be about 20% of your time.
Minimum Qualifications
- Experience developing system software.
- Proficiency in, or desire to learn, Swift development in Xcode.
- Knowledge of operating system internals, macOS and/or iOS preferred, but Linux alone is also acceptable if coupled with a strong desire and capacity to learn macOS/iOS internals in detail.
- Knowledge of system-level APIs and instrumentation at the OS/API level. Ability to understand OS changes needed to enable intercepting and interpreting system level interactions.
- Experience building, maintaining, and supporting production software with rigorous performance and availability SLOs.
- Experience building CI/CD tools for test/release and associated methods for deployment on host (e.g. packages, containers, etc).
Preferred Qualifications
- Experience with macOS malware detection tools such as EndpointSecurity (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) framework
- Understanding of infrastructure security detections
- Sufficient security acuity to discuss/debate with detection engineers what operating system observables would most efficiently enable implementation of their detection ideas
- Bachelors degree in Computer Science / Engineering or a related, with emphasis in security related fields (or equivalent experience).
- Community contributions like public CVEs, bug bounty recognition, open source tools, blogs, talks etc.
