- You are here:
- Security Lead
Our thesis is that Good Security Is Holistic. We think that simulating a security culture in engineering is one of the most important things. We don't do checklist security, the goal is to keep the trust of our users by being secure, compliance is not a goal in itself. We don't think that third party products are unimportant but they are not a silver bullet to making everything secure.
The Security Team Lead is responsible for leading the various initiatives that relate to improving GitLab's security.
The Security Lead reports to the Director of Security(vacancy).
- Find and fix security issues within the GitLab code base
- Define, implement, and monitor security measures to protect GitLab.com and company assets
- Manage a bug bounty program
- Perform vulnerability testing, risk analyses, and security assessments, and follow through on implementation, working across teams.
- Investigate intrusion incidents, conduct forensic investigations, and mount incident responses
- Collaborate with colleagues on authentication, authorization and encryption solutions
- Evaluate new technologies and processes that enhance security capabilities
- Analyze and advise on new security technologies and program conformance
- Write documentation around how to maintain a high-level of security.
- Secure Development lifecycle (SDL) process guidance
- Style guides and design best practices for engineering
- Courses for engineering (including guest speakers)
- Reduce surface area in application (Git Annex, old API)
- Post-postmortems on found security bugs (helps people think about it, high leverage)
- Document security trade-offs
- Automated testing/linting
- Compliance (HIPAA)
- Offensive (pen testing)
- Detection and response (monitoring, Detection, IDS, OSSEC, updates, response)
- Network security (teleport, VPC's, firewalls, access control, also IDS)
- Patch management / Vulnerability management and coordination (modeled after relevant ISO standard)
- Defense in depth recommendations
- Penetration testing by externals
- Source code analysis by externals
- Bug bounty program
- Endpoint security (fleetsmith, encryption, phishing reporting, yubikey, reducing access)
- Runbooks for incidents, recovery plans
- Abuse (spam, bitcoin mining)
- Package infrastructure/update/release process/patches
- Communication (blog post, postmortems, incident response/crisis communication)
- Dependencies and contribution security risks
- Credential management (Vault)
- Experience with application and SaaS security experience in production-level settings.
- This position requires some development experience and high level of familiarity with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
- Passion for open source
- Linux experience (e.g. Ubuntu)
- Programming experience (Ruby and Ruby on Rails preferred; for GitLab debugging)
- Collaborative team spirit with great communication skills
- You share our values, and work in accordance with those values.
NOTE In the compensation calculator below, fill in "Lead" in the
Level field for this role.
Please note that if we are actively hiring for a position, you will see it listed on our jobs page, where all of our current openings are advertised. To apply, please click on the name of the role you are interested in, which will take you to our applicant tracking system (ATS), Lever.
Avoid the confidence gap; you do not have to match all the listed requirements exactly to apply. Our hiring process is described in more detail in our hiring handbook.
GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 1,000 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.
We value results, transparency, sharing, freedom, efficiency, frugality, collaboration, directness, kindness, diversity, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.
Top 10 reasons to work for GitLab:
- Work with helpful, kind, motivated, and talented people.
- Work remote so you have no commute and are free to travel and move.
- Have flexible work hours so you are there for other people and free to plan the day how you like.
- Everyone works remote, but you don't feel remote. We don't have a head office, so you're not in a satellite office.
- Work on open source software so you can interact with a large community and can show your work.
- Work on a product you use every day: we drink our own wine.
- Work on a product used by lots of people that care about what you do.
- As a company we contribute more than we take, most of our work is released as the open source GitLab CE.
- Focused on results, not on long hours, so that you can have a life and don't burn out.
- Open internal processes: know what you're getting in to and be assured we're thoughtful and effective.
See our culture page for more!
Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto.