Security Engineer

As a member of the security team at GitLab, you will be working towards raising the bar on security.

As a member of the security team at GitLab, you will be working towards raising the bar on security. We will achieve that by working and collaborating with cross-functional teams to provide guidance on security best practices.

The Security Team is responsible for leading and implementing the various initiatives that relate to improving GitLab’s security.

Responsibilities for Security Engineer roles

  • Develop security training and guidance to internal development teams
  • Provide subject matter expertise on architecture, authentication and system security
  • Create and maintain artifacts in a protected repository established as a single source of truth
  • Assess security tools and integrate tools as needed, particularly open-source tools
  • Assist with recruiting activities and administrative work
  • Technical Skills
    • Familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
    • Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
    • Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
    • Knowledge of browser-based security controls such as CSP, HSTS, XFO.
    • Experience with standard web application security tools such as Arachni, Brakeman, and BurpSuite.
    • There should also be time to participate in development of GitLab.
  • Code quality
    • Proactively identify and reduce security risks.
    • Find and remove outdated and vulnerable code and code libraries.
  • Communication
    • Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.
    • Handle communications with independent vulnerability researchers and design appropriate mitigation strategies for reported vulnerabilities.
    • Educate other developers on secure coding best practices.
    • Ability to professionally handle communications with outside researchers, users, and customers.
    • Ability to communicate clearly on technical issues.
  • Performance & Scalability
    • An understanding of how to write code that is not only secure but scales to a large number of users and systems.

General Requirements for Security Engineer roles

  • You have a passion for security and open source
  • You are a team player, and enjoy collaborating with cross-functional teams
  • You are a great communicator
  • You employ a flexible and constructive approach when solving problems
  • You share our values, and work in accordance with those values
  • Ability to use GitLab

Levels of Security Engineer roles

Intermediate Security Engineer

  • Leverage understanding of fundamental security concepts
  • Triages/handles basic security issues
  • Be positive and solution oriented
  • Good written and verbal communication skills
  • Constantly improve product security

Job Grade

The Security Engineer is a grade 6.

Senior Security Engineer

The Senior Security Engineer role extends the Intermediate Security Engineer role.

  • Leverages security expertise in at least one specialty area
  • Triages and handles/escalates security issues independently
  • Conduct security architecture reviews and makes recommendations
  • Great written and verbal communication skills
  • Interview security candidates during hiring process

A Senior Security Engineer may decide to pursue the security engineering management track at this point, should they wish to. See Engineering Career Development for more detail on the tracks available for Senior Engineers.


Job Grade

The Senior Security Engineer is a grade 7.

Staff Security Engineer

The Staff Security Engineer role is a progression of the Senior Security Engineer role and typically reports to Manager or Senior Manager.

Responsibilities

  • Serve as trusted advisor to team’s leadership, actively shaping the team’s direction
  • Collaborate across teams as technical expert, driving the success of larger projects
  • Evangelize and foster a culture of security awareness across the company, and may represent the organization at industry events
  • Actively lead cross-team technical/project decisions, collaborating closely with other team members, and acting as a directly responsible individual (DRI) where needed
  • Provide mentorship and guidance to engineers within and sometimes outside of the team
  • Proactively address high impact and difficult security challenges, contributing to innovative solutions
  • Gather and analyze security metrics, provide recommendations, and resolve intricate issues within their specialty
  • Play a pivotal role in preventing security issues through contribution of proactive detections and mitigations
  • Implement appropriate solutions that address unique and challenging security issues with cross-team dependencies
  • Lead efforts according to their specialty, set standards, and provide guidance to less experienced team members

Requirements

  • Demonstrated effective collaboration with cross-functional teams, actively fostering a culture of security awareness, and supporting the development of security solutions that impact larger projects
  • Demonstrated innovative problem-solving on complex security issues within your area of expertise
  • Exhibits excellent written and verbal communication skills
  • Communicates technical concepts clearly and can convey the importance of security practices to peers within the Security department as well as team members on other teams.
  • Demonstrated consistent willingness and ability to take on new and difficult challenges
  • Possesses expert-level knowledge in their specialty field and the security technology stack
  • Demonstrates strong technical leadership, acknowledged by cross-functional peers and stakeholders

Job Grade

The Staff Security Engineer is a grade 8.

Principal Security Engineer

The Principal Security Engineer role is a progression of the Staff Security Engineer role and typically reports to Senior Manager/Director.

Responsibilities

  • Collaborate with department leadership, serving as a trusted advisor, and significantly influence the organization’s security strategy
  • Drive complex security initiatives across departments, proactively identifying and leading high-impact projects to success
  • Serve as an ambassador for security within and outside the organization, engaging with industry peers, communities, and customers as needed
  • Provide mentorship, fostering a culture of continuous learning and collaboration across the department
  • Proactively lead large complex efforts with multiple cross-org dependencies, drives innovation, and provides thought leadership both internally and sometimes externally
  • Contribute to the development of cutting-edge security practices and technologies
  • Provide strategic guidance and direction that is adopted into the organization’s security strategy

Requirements

  • Proven excellence in devising holistic security direction and strategies that encompass a wide range of technical and organizational considerations
  • Outstanding interpersonal and collaboration skills, demonstrated consistent and successful collaboration across teams on cross-functional security initiatives
  • Demonstrated ability solving complex and intricate security problems that demand innovative solutions
  • Notable technical leader with demonstrated effective communication and influence at all levels across the organization
  • Highly regarded as a subject matter expert with deep knowledge of the enterprise technology stack
  • Demonstrated profound impact on the organization’s security posture
  • Recognized for their ability to teach, mentor, grow, and provide advice to other domain experts and individual contributors
  • Strong ability to adapt to evolving circumstances, technologies, and strategic priorities, while leading complex initiatives
  • Demonstrate strong conflict management abilities within high-impact initiatives

Job Grade

The Principal Security Engineer is a grade 9.

Distinguished Security Engineer

The Distinguished Security Engineer role is a progression of the Principal Security Engineer role and typically reports to Director/Senior Director/VP.

Responsibilities

  • Collaborate as a trusted advisor to Security Senior Leadership, providing visionary technical leadership that shapes the organization’s long-term security strategic direction
  • Collaborate across the Sub-department/teams, successfully influencing and leading the most challenging and impactful security initiatives in alignment with business goals
  • Evangelize and act as an ambassador for GitLab internally and externally through actively engaging with industry peers, customers, and/or regulatory bodies
  • Mentor and guide the most seasoned security professionals and sets examples for Principal and Staff Engineers, nurturing the next generation of security leaders
  • Define and lead the most critical and transformative security initiatives with far-reaching cross-organizational dependencies
  • Set new industry standards, drive innovation, and provide thought leadership both internally and externally, positioning the organization as a security leader
  • Identify and mitigate emerging threats before they impact the organization, designing and deploying advanced countermeasures
  • Shape the company’s security strategy, influencing its direction and ensuring it remains at the forefront of industry best practices
  • Develop solutions addressing longer term strategic goals and objectives that have deep and broad impact both internally and externally

Requirements

  • Demonstrated transformative impact on the organization’s security strategy and posture
  • Exemplifies exceptional interpersonal and collaboration skills, consistently delivering successful cross-functional security initiatives
  • Excels at solving the most critical, intricate, and multifaceted security challenges
  • Recognized for their ability to solve problems that others find exceptionally challenging or complex
  • Division and industry leader, demonstrated ability as an influential and recognized subject matter expert
  • Possesses unparalleled knowledge across the entire enterprise technology stack
  • Highly visible technical leader, possessing an exceptional ability to communicate, influence, and lead at all organizational levels
  • Renowned for guiding, mentoring, and shaping not only domain experts but also the future generation of security leaders
  • Display exceptional adaptability when requirements, direction, or circumstances change
  • Exhibit exceptional conflict management skills to navigate and resolve complex and critical conflicts with far-reaching organizational impact

Job Grade

The Distinguished Security Engineer is a grade 10.

Staff+ Initiatives

At GitLab, Staff+ individual contributors take on a larger role by driving initiatives that are larger in scope, impact, and value than their current day-to-day responsibilities call for. In order to achieve this, Staff+ engineers are encouraged to choose 1 project, mutually agreed upon with their manager, for which they act as DRI until completion or mutually agreed upon priorities change. The goal is to provide our staff+ team members the following benefits:

  • Career Growth through increased scope and responsibility
  • Increase in influence and authority through exertion of technical leverage.
  • Increase in decision making opportunities
  • Leadership experience
  • Project Management experience

Initiatives are selected with the following criteria:

  • Mutually Decided: The team member and team member’s manager will mutually agree upon the initiative, taking into account the requirements of other stakeholders.
  • Relevant: The initiative should be relevant to GitLab, the Security Department, and the team member’s team.
  • Impactful: The initiative should have a positive impact in making GitLab more secure and/or maturing our Security program
  • (Preferably) Within Team Member’s Domain: To increase the team member’s ability to succeed and ability to control influence and outcome, the chosen work should fall within the team member’s domain of work. The team member does not need to be at an expert level as growth and development in skillset is not only encouraged, but intended.
  • Solves a Problem: The initiative should be designed to produce an outcome that remediates or mitigates a security concern.

All staff+ initiatives are tracked as epics with the ~"Staff+ Initiative" label in both of our top-level namespaces with corresponding epic boards for global transparency and tracking:

Project Expectations

Once an initiative is mutually agreed upon, the team member will be wholly responsible for driving the project. The following project elements should be addressed as applicable:

Time Considerations

The manager and team member should work to define how much time should be allocated towards this initiative. The time allocated should fall within 20 to 40% of the team member’s time but will need to take into consideration the impact to the team’s day-to-day obligations that may be of higher priority.

Define Objective and Scope of Work

Scope should include systems, services, and tools. The objective should provide a clear description of outlining the problem to be addressed, why this is a problem, what impact or value solving this problem will have, and the cost of not addressing this issue. Note: The more data you can provide in proving value, the more likely you are to succeed. For example, it is better to say “fixing this will result in a reduction of $74,000 in bug bounty spend” vs “fixing this will make us more secure”.

Timebound

The initiative will list a projected start and end date. Ideally, projects would range anywhere from 6 weeks to 6 months. The end date is your educated guess and may change, but leverage the due date to your advantage with your dependencies and stakeholders. Further, this does not need to follow a quarterly cycle meaning it does not need to start at the beginning of a quarter and end on the last day of the quarter. The intent is to start an initiative and carry it to 100% completion. The work is not required to be tracked as an OKR but the team member may choose to create OKR’s if they feel more comfortable with that tracking and reporting style.

Milestones

Project milestones should be well defined. If this is not possible, seek the guidance of your manager to establish proposed milestones they may evolve once the project is underway. This will help team members stay on track and account for progress.

Success Criteria

The project needs to have a well defined exit criteria. This should match with the expected outcome and intent of the project definition. It is ok to recommended further actions to be taken in the future given those are based on insights gained during execution of the initiative and were not part of the original goal.

Stakeholders

The team member should ensure stakeholders are identified, notified, and kept informed throughout the duration of the project. It is the team member’s responsibility to negotiate time and resources with their stakeholders and understand the nuances of stakeholder and team priorities.

Dependencies & Risks

The team member should carefully consider project dependencies and risks ahead of time and how they might impact the project to reduce the likelihood of them and their stakeholders being surprised by significant factors that can derail a project.

Reporting

Tracking and reporting is a necessary component to ensuring visibility and transparency to your stakeholders and other interested parties. This reporting also helps provide guidance for other IC’s that want to work towards a Staff+ position within GitLab. Further, this allows for quicker intervention when a project is at risk. The team member should determine the proper cadence and method of communication for their project. Reporting should include project metrics to make it easy to understand status.

Close-out

At the close of the project, the team member should document what goals were met, what was not met, and recommendations for future iterations (if applicable).

Specialties for Security Engineer roles

Application Security

Application Security specialists work closely with development teams, product managers (PM), and third-party groups (including the paid bug bounty program) to ensure that GitLab products are secure.

Application Security Responsibilities

  • Perform vulnerability management and be a subject matter expert (SME) for mitigation approaches.
  • Support and evolve the bug bounty program.
  • Conduct risk evaluation of GitLab product features.
  • Conduct application security reviews, including code review and dynamic testing.
  • Participate in initiatives to holistically address multiple vulnerabilities found in a functional area.
  • Develop security training and socialize the material with internal development teams.
  • Develop automated security testing to validate that secure coding best practices are being used.
  • Facilitate preparation of both critical and regular security releases
  • Guide, advise, and assist product development teams as SMEs in the area of application security.
  • Assist with recruiting activities and administrative work
  • Assist in identifying process changes and tooling to mature the software development lifecycle at GitLab
  • Identify, prioritize, and communicate vulnerability patterns, security enhancement ideas, and automation needs to stakeholders, including the Product Security Engineering team

Application Security Requirements

  • Familiarity with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications
  • Some development experience (Ruby and Ruby on Rails preferred; for GitLab debugging)
  • Experience with OWASP, static/dynamic analysis, and common exploit tools and methods
  • An understanding of network and web related protocols (such as, TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
  • Familiarity with cloud security controls and best practices

Product Security Engineering

Product Security Engineering specialists work closely with the Application Security team, development teams, and product managers (PM) to deliver security improvements to GitLab products. They are additionally responsible for building and maintaining automations that help the Application Security team work efficiently and operate at scale.

Product Security Engineering Team Responsibilities

  • Design and contribute product-first code that enhances the security of GitLab’s software assets and improves security at every stage of the software development lifecycle
  • Partner with Engineering teams to understand and then implement security enhancements, defense-in-depth, and other security related improvements
  • Design, engineer, deploy, and maintain security libraries to be used by GitLab development teams
  • Design and engineer solutions that solve classes of vulnerabilities
  • Build and maintain security tooling and automation for internal use that enable the Application Security team to operate at high speed and wide scale
  • Collaborate with the Application Security team to identify, understand and prioritize security enhancements and automation opportunities, including through assisting with threat modeling and root cause analyses
  • Plan and prioritize Product Security Engineering team efforts, with a focus on delivering high-impact proactive and preventative controls which will scale with the organization and result in improved product security
  • Define and own metrics and key performance indicators to determine the effectiveness of the Product Security Engineering team

Product Security Engineering Team Requirements

  • Strong development or scripting experience and skills, preferably significant professional experience with Ruby on Rails and/or Golang
  • Excellent understanding of application security issues and how to fix application security vulnerabilities
  • Track record of delivering results through the entire software development lifecycle

Signals Engineering

Signals engineers build and maintain security observability capabilities and transform those capabilities into actionable signals and detections to detect attacker behaviors. An understanding of the GitLab product and a passion for diving deep into attacker behaviors is a key competency in this role. Signals engineers are able to think like an incident responder, research and test attacker TTPs, maintain relationships with product stakeholders, and empower the business to build and improve security logging and detection capabilities.

Signals Engineering Team Responsibilities:

  • Develop and improve security signal creation at GitLab - including the GitLab product, corporate, cloud and identity infrastructure.
  • Map detection capabilities to breach concerns, identifying critical signals to detect behaviors of interest.
  • Understand the implications of an attack, vulnerability, or gap in security observability, and be able to translate that gap into an opportunity to improve overall security observability.
  • Sit at the intersection of Security Operations, Infrastructure and Product teams in a powerful position to create threat detection rules, identify and empower the business to implement security observability improvements for internal threat detections and customer security observability needs.
  • Dogfood the GitLab product observability capabilities through product logging such as the GitLab audit log.
  • Build and report on signals engineering metrics.
  • Participate in high severity security incidents with a focus on identifying gaps in observability, building new threat detection rules, and reducing the mean time to detection creation.

Signals Engineering Team Requirements:

  • A passion for AI (Artificial Intelligence) with goals to implement it in all parts of detection engineering
  • Ability to write complex threat detection engineering rules
  • Experience with SIEM tools, such as Splunk or Devo
  • Programming knowledge and ability to automate manual processes using code in a commonly used programming language, like Python
  • The ability to map out and understand attacker patterns and behaviors and understand the security implications of various attacks on DevSecOps platforms like GitLab.
  • The ability to assist in translating technical details into a cohesive story which empowers security observability improvements.
  • Some experience with Google Cloud Platform (GCP) and/or AWS

SIRT - Security Incident Response Team

SIRT Engineers are the firefighters of the GitLab Security Team. As a Security Engineer in SIRT your daily duties will include incident response, log analysis, forensics, tooling and automation development, as well as contributing to strategic improvements to the GitLab products and GitLab.com services. Successful Security Engineers thrive in high-stress environments and can think like both an attacker and defender, have the ability to engage with and mentor more junior Security Engineers, and can help come up with proactive and preventative security measures to keep GitLab and its user’s data safe.

More information about the SIRT role is described in the persona of Alex, SIRT Engineer

SIRT Responsibilities

  • Detect and respond to company-wide security incidents
  • Log analysis
  • Security forensics
  • Develop and implement preventative security measures (detection, monitoring, exploitation)
  • Build security tools that enable the GitLab Security Team to operate at speed and scale
  • Incorporate current security trends, advisories, publications, and academic research
  • Engineer CND technologies to monitor and analyze (e.g. IDSes, Data collection tools)
  • Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts
  • Identify and mitigate complex security vulnerabilities before an attacker exploits them
  • Communicate risks and mitigations across multiple audiences with varying levels of sensitivity
  • Take part in the Security Operations on-call rotation

SIRT Requirements

  • 5+ years of demonstrated experience in web or cloud security engineering, log aggregation, and/or penetration testing
  • 2+ years of direct experience with incident response
  • Experience with log analysis systems
  • Engineer, not an analyst mindset
  • In-depth knowledge of Linux tools/architecture and logging systems
  • Experience with Google Cloud Platform (GCP), AWS, and/or Azure
  • Experience with one or more programming languages (Ruby on Rails, Go, PHP and/or Python)
  • Proficiency to communicate over a text-based medium (Slack, GitLab Issues, Email) and can succinctly document technical details.

Trust & Safety

Trust & Safety Engineers are the builders of the anti-abuse world. They develop the tools needed to monitor, mitigate and report on abusive behavior and are an essential part of our goal to be good internet citizens.

A successful candidate is someone who wants to make the internet a safer place and do the right thing because it’s right.

Your daily duties will include building tooling and automation for curbing abuse, assist with incident response, as well as contributing to strategic improvements to the GitLab products and GitLab.com services.

Trust & Safety Responsibilities

  • Initiatives to curb known abusive activity on GitLab.com, and to identify new and unknown abuse vectors
  • DMCA Notice and Counter-Notices (dmca@gitlab.com)
  • Mitigation of abusive/non-responsive customers
  • Verifying the proper classification of abuse reports
  • Escalating to stakeholders while continuing to monitor
  • Monitoring logs and queues for trends
  • Research and prevention trending abuse methodologies

Trust & Safety Requirements

  • 3+ years of demonstrated experience in a developer, system engineering, or security engineering role
  • 2+ years experience in Anti-Abuse processes or mitigation
  • Broad knowledge of technology, and be passionate about it. Able to discuss and explain popular, internet-based technologies with ease, and present their experience with them.
  • Development, scripting, or automation experience - A successful candidate is a builder. They dislike repetitive tasks and have a history of automating their daily workflows to make their days more productive. They are comfortable writing in Python, Ruby, or similar scripting languages, while also being able to read and interpret code from other languages.
  • Good communication and documentation skills
  • Knowledge of Linux tools/architecture and logging systems
  • Experience with SQL
  • Nice to Have: Experience with Google Cloud Platform (GCP), AWS, and/or Azure

Security Assurance

Security Assurance Engineers enable Sales and support go-to-market by achieving standards as required by our customers and helping to secure the organization. This includes SaaS, self-managed, and open source instances.

Security Architect

This role reports directly to the CISO. Generally we would see this specialty to be filled at the Distinguished level. Distinguished engineers and Fellows have the widest sphere of influence and responsibility at the individual contributor level and as such may be asked to focus on high impacting focus areas. The security architect is a highly technical role responsible for planning, designing, testing, implementing and maintaining security strategy and solutions across the entire GitLab ecosystem. More specifically the responsibilities of this role include:

  • Define key architectural patterns, engineering practices and standards and drive them across the organization.
  • Work closely with other teams to develop and promote security architectures to protect microservices, serverless, containers, application development and operations practices
  • Maintain a deep understanding and application of security concepts at a technical level.
  • Responsible for providing security guidance to other team members in their design, implementation and support of new cloud architecture and automation technologies, as well as updates and maintenance of existing cloud and automation systems
  • Advocate, document and define security architecture vision from a strategic perspective, including internal and external platforms, tools, and systems
  • Contributes to the security of enterprise data and systems by developing enterprise information security solutions.
  • Creates and updates a view of IT assets, related attack surfaces, and threat actors to illustrate the flow of data and associated security threats.
  • Research, design, and develop new enterprise technologies, architectures, and security products that will support security requirements for the enterprise and its customers, business partners, and vendors.
  • Drive deep architectural discussions in a collaborative fashion to ensure solutions are designed for successful, automated deployment in the cloud, vendor, and on prem environments
  • Assist in the development of security technology roadmaps and end-of-life technology plans.
  • Contribute to, interpret, and disseminate information security policies, standards, and promote awareness of these artifacts to technical component owners.
  • Ensure compliance to information security practices & standards to reduce the likelihood of breaches, audit findings, regulatory, and legal liabilities
  • Analyzes business impact and exposure based on emerging security threats, vulnerabilities, and risks and contributes to the development and maintenance of information security architecture.
  • Engages with security specialists and other functional area architects to ensure adequate enterprise security solutions are in place to sufficiently mitigate identified risks, and to meet business objectives and regulatory requirements.
  • Responds to escalated cybersecurity issues for enterprise systems; facilitates advanced diagnosis and troubleshooting when necessary.

Security Engineer Hiring Process

All interviews are conducted using Zoom video conferencing software. Candidates for Security Engineer roles can expect the hiring process to follow the order below, with modifications to the process as required, based on specific situations. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

Screening call with Recruiter

Round 1

  • 60 Minute Interview with Hiring Manager

Round 2

  • 45 Minute Peer Interview
  • 45 Minute Peer Interview

Round 3

  • 60 Minute Interview with Director of Security or CISO, or both

As always, the interviews and screening call will be conducted via a video call. See more details about our hiring process on the hiring handbook.

Performance Indicators

Career Ladder

For more details on the engineering career ladders, please review the engineering career development handbook page.

 


About GitLab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 Reasons to Work for GitLab:

  1. Mission: Everyone can contribute
  2. Results: Fast growth, ambitious vision
  3. Flexible Work Hours: Plan your day so you are there for other people & have time for personal interests
  4. Transparency: Over 2,000 webpages in GitLab handbook, GitLab Unfiltered YouTube channel
  5. Iteration: Empower people to be effective & have an impact, Merge Request rate, We dogfood our own product, Directly responsible individuals
  6. Diversity, Inclusion & Belonging: A focus on gender parity, Team Member Resource Groups, other initiatives
  7. Collaboration: Kindness, saying thanks, intentionally organize informal communication, no ego
  8. Total Rewards: Competitive market rates for compensation, Equity compensation, global benefits (inclusive of office equipment)
  9. Work/Life Harmony: Flexible workday, Family and Friends days
  10. Remote Done Right: One of the world's largest all-remote companies, prolific inventor of remote best practices

See our culture page for more!

Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.

Last modified October 8, 2024: Update file security-engineer.md (c8021ae2)