Security Engineer

As a member of the security team at GitLab, you will be working towards raising the bar on security. We will achieve that by working and collaborating with cross-functional teams to provide guidance on security best practices.

The Security Team is responsible for leading and implementing the various initiatives that relate to improving GitLab's security.

Responsibilities for Security Engineer roles

• Develop security training and guidance to internal development teams
• Provide subject matter expertise on architecture, authentication and system security
• Create and maintain artifacts in a protected repository established as a single source of truth
• Assess security tools and integrate tools as needed, particularly open-source tools
• Assist with recruiting activities and administrative work
• Technical Skills
  • Familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
  • Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
  • Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
  • Knowledge of browser-based security controls such as CSP, HSTS, XFO.
  • Experience with standard web application security tools such as Arachni, Brakeman, and BurpSuite.
  • There should also be time to participate in development of GitLab.
• Code quality
  • Proactively identify and reduce security risks.
  • Find and remove outdated and vulnerable code and code libraries.
• Communication
  • Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.
  • Handle communications with independent vulnerability researchers and design appropriate mitigation strategies for reported vulnerabilities.
  • Educate other developers on secure coding best practices.
  • Ability to professionally handle communications with outside researchers, users, and customers.
  • Ability to communicate clearly on technical issues.
• Performance & Scalability
  • An understanding of how to write code that is not only secure but scales to a large number of users and systems.

General Requirements for Security Engineer roles

• You have a passion for security and open source
• You are a team player, and enjoy collaborating with cross-functional teams
• You are a great communicator
• You employ a flexible and constructive approach when solving problems
• You share our values, and work in accordance with those values
• Ability to use GitLab

Levels of Security Engineer roles

Intermediate Security Engineer

• Leverage understanding of fundamental security concepts
• Triages/handles basic security issues
• Be positive and solution oriented
• Good written and verbal communication skills
• Constantly improve product security

Job Grade

The Security Engineer is a grade 6.

Senior Security Engineer

The Senior Security Engineer role extends the Intermediate Security Engineer role.

• Leverages security expertise in at least one specialty area
• Triages and handles/escalates security issues independently
• Conduct security architecture reviews and makes recommendations
• Great written and verbal communication skills
• Interview security candidates during hiring process

A Senior Security Engineer may decide to pursue the security engineering management track at this point, should they wish to. See Engineering Career Development for more detail on the tracks available for Senior Engineers.

Job Grade

The Senior Security Engineer is a grade 7.

Staff Security Engineer

The Staff Security Engineer role extends the Senior Security Engineer role.

• Recognized security expert in multiple specialty areas, with cross-functional team experience
• Make security architecture decisions
• Provide actionable and constructive feedback to cross-functional teams
• Implement security technical and process improvements
• Exquisite written and verbal communication skills
• Author technical security documents
• Author questions/processes for hiring and screening candidates
• Write public blog posts and represent GitLab as a speaker at security conferences

Job Grade

The Staff Security Engineer is a grade 8.

Principal Security Engineer

The Principal Security Engineer role extends the Staff Security Engineer role.

• Collaborate and makes proposals across several teams on cross-functional security initiatives
• Help team members make informed decisions in support of and alignment with the sub-department strategy
• Expose technology and organizational needs throughout their department
• Teach, guide and mentor new and existing team members
• Play a central role in technical, business, and organizational contributions affecting the sub-department/department
• Assist in developing team and sub-department roadmap
• Solve technical problems of the highest scope, complexity, and ambiguity for their sub-department.
• Interface with organizational stakeholders and enable Staff Engineers to engage on department-level aspects of larger (sub-department wide) initiatives.
• Looks for innovation opportunities between several teams with a willingness to experiment and to boldly confront problems of large complexity and scope.
• Guide conversations to remove blockers and encourage collaboration across teams.
• Provide a point of escalation for sub-department teams facing complex technical challenges.
• Exposes the work of the sub department and their business impact internally.

Job Grade

The Principal Security Engineer is a grade 9.

Distinguished Security Engineer

The Distinguished Security Engineer role extends the Principal Security Engineer role.

• Considered the leading domain expert for the sub-department
• Act as DRI and point of escalation for teams facing extremely complex technical challenges
• Responsible for attaining a measurable impact of leading initiatives within sub-department
• Identify challenges and technical interdependencies and suggest solutions to address them
• Use quantitative analysis to impact key business decisions
• Evangelize and drive department needs across organiational stakeholders to achieve success
• Lead conversations to encourage collaboration across teams
• Assist in the growth and development of team members within sub-department
• Play central role in decision making for technical, business, and organizational issues
• Build technology and organizational bridges to key organizational partners
• Ownership of significant sub-department objectives, goals and OKR's
• Contributor to sub-department roadmap and strategic direction

Job Grade

The Distinguished Security Engineer is a grade 10.

Specialties for Security Engineer roles

Security Research

Security research specialists are subject matter experts (SME) that conduct research in their area of expertise to protect GitLab the product and GitLab company assets. They are also encouraged to participate in the larger security community through blog posts and participation in industry conferences. Responsibilities for this specialty include:

• Conduct research in their area of expertise to protect GitLab and GitLab.com assets.
• Research security posture of FOSS tools that are integrated with GitLab.
• Report findings to tool developers and track mitigation process, following responsible disclosure guidelines.
• Author blogs posts and presentations on vulnerabilities discovered and their area of expertise.
• Support other GitLab initiatives as a SME.
• Author documentation and/or tooling for security training.

Application Security

Application Security specialists work closely with development teams, product managers (PM), and third-party groups (including the paid bug bounty program) to ensure that GitLab products are secure.

Application Security Responsibilities

• Perform vulnerability management and be a subject matter expert (SME) for mitigation approaches.
• Support and evolve the bug bounty program.
• Conduct risk evaluation of GitLab product features.
• Conduct application security reviews, including code review and dynamic testing.
• Participate in initiatives to holistically address multiple vulnerabilities found in a functional area.
• Develop security training and socialize the material with internal development teams.
• Develop automated security testing to validate that secure coding best practices are being used.
• Facilitate preparation of both critical and regular security releases
• Guide, advise, and assist product development teams as SMEs in the area of application security.
• Assist with recruiting activities and administrative work

Application Security Requirements

• Familiarity with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications
• Some development experience (Ruby and Ruby on Rails preferred; for GitLab debugging)
• Experience with OWASP, static/dynamic analysis, and common exploit tools and methods
• An understanding of network and web related protocols (such as, TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
• Familiarity with cloud security controls and best practices

Security Automation

By leveraging diverse technologies and an automation first approach, the Security Automation team strives towards improving the efficiency, effectiveness, and accuracy within GitLab's Information Security program with a focus on cost savings. Examples include the creation of automated security issue triage and management solutions, automating handling of repetitive tasks, and defining re-usable security automation architectures. Additionally, the Security Automation team will assist other security specialty teams with automation efforts they are leading and developing through the assessment of automation tools, and integration tools and technologies to support automation efforts as needed.

Security Automation Responsibilities

• Design, engineer, deploy, and maintain custom automation products
• Build security tooling and automation for internal use that enable the Security Department to operate at high speed and wide scale
• Define and own metrics and key performance indicators to determine the effectiveness of the Security Automation program
• Collaborate with product teams to ensure that the GitLab product meets security automation requirements for ourselves and our users.

Security Automation Requirements

• Previous experience on a Security Operations, Software Development, or Automation team
• Scripting/coding experience with one or more languages - Python, Ruby, and/or Golang experience a plus
• Extensive knowledge of Internet security issues, automation or software engineering technologies, cloud architectures, and threat landscape concepts
• Solid understanding of the Software as a Service (SaaS) model
• Solid understanding of the DevOps model
• Experience with Cloud Computing Platforms - GCP experience a plus
• Experience with Kubernetes a plus
• Experience with infrastructure as code processes and tools a plus

SIRT - Security Incident Response Team

SIRT Engineers are the firefighters of the GitLab Security Team. As a Security Engineer in SIRT your daily duties will include incident response, log analysis, forensics, tooling and automation development, as well as contributing to strategic improvements to the GitLab products and GitLab.com services. Successful Security Engineers thrive in high-stress environments and can think like both an attacker and defender, have the ability to engage with and mentor more junior Security Engineers, and can help come up with proactive and preventative security measures to keep GitLab and its user’s data safe.

More information about the SIRT role is described in the persona of Alex, SIRT Engineer

SIRT Responsibilities

• Detect and respond to company-wide security incidents
• Log analysis
• Security forensics
• Develop and implement preventative security measures (detection, monitoring, exploitation)
• Build security tools that enable the GitLab Security Team to operate at speed and scale
• Incorporate current security trends, advisories, publications, and academic research
• Engineer CND technologies to monitor and analyze (e.g. IDSes, Data collection tools)
• Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts
• Identify and mitigate complex security vulnerabilities before an attacker exploits them
• Communicate risks and mitigations across multiple audiences with varying levels of sensitivity
• Take part in the Security Operations on-call rotation

SIRT Requirements

• 5+ years of demonstrated experience in web or cloud security engineering, log aggregation, and/or penetration testing
• 2+ years of direct experience with incident response
• Experience with log analysis systems
• Engineer, not an analyst mindset
• In-depth knowledge of Linux tools/architecture and logging systems
• Experience with Google Cloud Platform (GCP), AWS, and/or Azure
• Experience with one or more programming languages (Ruby on Rails, Go, PHP and/or Python)
• Proficiency to communicate over a text-based medium (Slack, GitLab Issues, Email) and can succinctly document technical details.

Trust & Safety

Trust & Safety Engineers are the builders of the anti-abuse world. They develop the tools needed to monitor, mitigate and report on abusive behavior and are an essential part of our goal to be good internet citizens.

A successful candidate is someone who wants to make the internet a safer place and do the right thing because it’s right.

Your daily duties will include building tooling and automation for curbing abuse, assist with incident response, as well as contributing to strategic improvements to the GitLab products and GitLab.com services.

Trust & Safety Responsibilities

• Initiatives to curb known abusive activity on GitLab.com, and to identify new and unknown abuse vectors
• DMCA Notice and Counter-Notices (dmca@gitlab.com)
• Mitigation of abusive/non-responsive customers
• Verifying the proper classification of abuse reports
• Escalating to stakeholders while continuing to monitor
• Monitoring logs and queues for trends
• Research and prevention trending abuse methodologies

Trust & Safety Requirements

• 3+ years of demonstrated experience in a developer, system engineering, or security engineering role
• 2+ years experience in Anti-Abuse processes or mitigation
• Broad knowledge of technology, and be passionate about it. Able to discuss and explain popular, internet-based technologies with ease, and present their experience with them.
• Development, scripting, or automation experience - A successful candidate is a builder. They dislike repetitive tasks and have a history of automating their daily workflows to make their days more productive. They are comfortable writing in Python, Ruby, or similar scripting languages, while also being able to read and interpret code from other languages.
• Good communication and documentation skills
• Knowledge of Linux tools/architecture and logging systems
• Experience with SQL
• Nice to Have: Experience with Google Cloud Platform (GCP), AWS, and/or Azure

Security Assurance

Security Assurance Engineers enable Sales by achieving standards as required by our customers and helping to secure the organization. This includes SaaS, self-managed, and open source instances.

• Please refer to the Security Assurance page for additional information.
• Security Compliance
• Field Security
• Security Risk
• Security Governance

Red Team

Red Team specialists emulate adversary activity to better GitLab’s enterprise and product security. The role requires the ability to think like an advanced persistent threat. Creativity is key. For example, develop attack plans and stealthily execute them to compromise sensitive information on GitLab.com such as private repos, or develop and distribute malware to GitLab team-members to demonstrate how the corporate enterprise could be compromised.

• Utilize threat modeling concepts and frameworks such as MITRE ATT&CK, STRIDE, etc. to continually identify ways to protect and defend GitLab assets by executing attacks that emulate a range of adversaries
• Focus on designing, researching, and executing attacks to challenge the blue team
• Strive to identify weaknesses within GitLab products and corporate network and demonstrate the associated risks
• Contribute to the GitLab Secure and Protect products
• Incorporate current security trends, advisories, publications, and academic research
• Understand CND technologies to bypass these security controls and stay undetected
• Report on the Red Team engagements providing an in-depth analysis of the security issues identified
• Identify complex security vulnerabilities and exploit them before an external attacker can exploit them
• Determine the level of effort required to compromise sensitive data
• Publish blog posts and present talks at security conferences
• Contribute to GitLab products by testing and proposing new features

Security Architect

This role reports directly to the VP of Security. Generally we would see this specialty to be filled at the Distinguished level. Distinguished engineers and Fellows have the widest sphere of influence and responsibility at the individual contributor level and as such may be asked to focus on high impacting focus areas. The security architect is a highly technical role responsible for planning, designing, testing, implementing and maintaining security strategy and solutions across the entire GitLab ecosystem. More specifically the responsibilities of this role include:

• Define key architectural patterns, engineering practices and standards and drive them across the organization.
• Work closely with other teams to develop and promote security architectures to protect microservices, serverless, containers, application development and operations practices
• Maintain a deep understanding and application of security concepts at a technical level.
• Responsible for providing security guidance to other team members in their design, implementation and support of new cloud architecture and automation technologies, as well as updates and maintenance of existing cloud and automation systems
• Advocate, document and define security architecture vision from a strategic perspective, including internal and external platforms, tools, and systems
• Contributes to the security of enterprise data and systems by developing enterprise information security solutions.
• Creates and updates a view of IT assets, related attack surfaces, and threat actors to illustrate the flow of data and associated security threats.
• Research, design, and develop new enterprise technologies, architectures, and security products that will support security requirements for the enterprise and its customers, business partners, and vendors.
• Drive deep architectural discussions in a collaborative fashion to ensure solutions are designed for successful, automated deployment in the cloud, vendor, and on prem environments
• Assist in the development of security technology roadmaps and end-of-life technology plans.
• Contribute to, interpret, and disseminate information security policies, standards, and promote awareness of these artifacts to technical component owners.
• Ensure compliance to information security practices & standards to reduce the likelihood of breaches, audit findings, regulatory, and legal liabilities
• Analyzes business impact and exposure based on emerging security threats, vulnerabilities, and risks and contributes to the development and maintenance of information security architecture.
• Engages with security specialists and other functional area architects to ensure adequate enterprise security solutions are in place to sufficiently mitigate identified risks, and to meet business objectives and regulatory requirements.
• Responds to escalated cybersecurity issues for enterprise systems; facilitates advanced diagnosis and troubleshooting when necessary.

Security Engineer Hiring Process

All interviews are conducted using Zoom video conferencing software. Candidates for Security Engineer roles can expect the hiring process to follow the order below, with modifications to the process as required, based on specific situations. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

Screening call with Recruiter

Round 1

• 60 Minute Interview with Hiring Manager

Round 2

• 45 Minute Peer Interview
• 45 Minute Peer Interview

Round 3

• 60 Minute Interview with Director of Security or VP of Security, or both

As always, the interviews and screening call will be conducted via a video call. See more details about our hiring process on the hiring handbook.

Career Ladder

For more details on the engineering career ladders, please review the engineering career development handbook page.

Compensation Calculator

About GitLab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 Reasons to Work for GitLab:

1. Mission: Everyone can contribute
2. Results: Fast growth, ambitious vision
3. Flexible Work Hours: Plan your day so you are there for other people & have time for personal interests
4. Transparency: Over 2,000 webpages in GitLab handbook, GitLab Unfiltered YouTube channel
5. Iteration: Empower people to be effective & have an impact, Merge Request rate, We dogfood our own product, Directly responsible individuals
6. Diversity, Inclusion & Belonging: A focus on gender parity, Team Member Resource Groups, other initiatives
7. Collaboration: Kindness, saying thanks, intentionally organize informal communication, no ego
8. Total Rewards: Competitive market rates for compensation, Equity compensation, global benefits (inclusive of office equipment)
9. Work/Life Harmony: Flexible workday, Friends and Family days
10. Remote Done Right: One of the world's largest all-remote companies, prolific inventor of remote best practices

See our culture page for more!