- You are here:
- Security Specialist
GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 1,000 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.
We value results, transparency, sharing, freedom, efficiency, frugality, collaboration, directness, kindness, diversity, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.
Top 10 reasons to work for GitLab:
- Work with helpful, kind, motivated, and talented people.
- Work remote so you have no commute and are free to travel and move.
- Have flexible work hours so you are there for other people and free to plan the day how you like.
- Everyone works remote, but you don't feel remote. We don't have a head office, so you're not in a satellite office.
- Work on open source software so you can interact with a large community and can show your work.
- Work on a product you use every day: we drink our own wine.
- Work on a product used by lots of people that care about what you do.
- As a company we contribute more than we take, most of our work is released as the open source GitLab CE.
- Focused on results, not on long hours, so that you can have a life and don't burn out.
- Open internal processes: know what you're getting in to and be assured we're thoughtful and effective.
See our culture page for more!
A Security Specialist is a Developer who focuses on ensuring that GitLab and associated applications are as secure as possible. The Security Specialist reports to the Security Lead and has the following set of skills, experience, and responsibilities:
- Technical Skills
- Development experience with Ruby on Rails. This position does not require senior-level development experience but the applicant should be very familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
- In this position we expect that you will spend about 60% of your time on development for patches, security releases, higher-level application security, and - if time allows - non-security related development.
- Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
- Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
- Knowledge of browser-based security controls such as CSP, HSTS, XFO.
- Experience with standard web application security tools such as Arachni, Brakeman, and BurpSuite.
- Code quality
- Proactively identifying and reducing security risks.
- Finding and removing outdated and vulnerable code and code libraries.
- Consult with other developers and product managers to analyze and propose application security standards, methods, and architectures.
- Handle communications with independent vulnerability researchers and design appropriate mitigation strategies for reported vulnerabilities.
- Educate other developers on secure coding best practices.
- Ability to professionally handle communications with outside researchers, users, and customers.
- Ability to communicate clearly on technical issues.
- Performance & Scalability
- An understanding of how to write code that is not only secure but scales to a large number of users and systems.
Applicants for this position can expect the hiring process to follow the order below. Please keep in mind that applicants can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find her/his job title on our team page.
* Selected candidates will be invited to schedule a 45 minute [screening call](/handbook/hiring/#screening-call) with a Recruiter
* Next, candidates will be invited to schedule a 45 minute [technical interview](/jobs/#technical-interview) with the [Security Lead] (https://about.gitlab.com/jobs/security-lead/)
* Candidates will then be invited to schedule a 45 minute interview with our Interim VP of Infrastructure
* Candidates will be invited to schedule a one hour interview with our VP of Engineering
* Finally, candidates will have a 50 minute interview with our CEO
* Successful candidates will subsequently be made an offer via email
Avoid the confidence gap; you do not have to match all the listed requirements exactly to apply. Our hiring process is described in more detail in our hiring handbook.
Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto. Apply