Senior Security Incident Response Team Engineer (SIRT Engineer)

Responsibilities for Security Engineer roles

• Develop security training and guidance to internal development teams
• Provide subject matter expertise on architecture, authentication and system security
• Assess security tools and integrate tools as needed, particularly open-source tools
• Assist with recruiting activities and administrative work
• Technical Skills
  • Familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
  • Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
  • Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
  • Knowledge of browser-based security controls such as CSP, HSTS, XFO.
  • Experience with standard web application security tools such as Arachni, Brakeman, and BurpSuite.
  • There should also be time to participate in development of GitLab.
• Code quality
  • Proactively identify and reduce security risks.
  • Find and remove outdated and vulnerable code and code libraries.
• Communication
  • Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.
  • Handle communications with independent vulnerability researchers and design appropriate mitigation strategies for reported vulnerabilities.
  • Educate other developers on secure coding best practices.
  • Ability to professionally handle communications with outside researchers, users, and customers.
  • Ability to communicate clearly on technical issues.
• Performance & Scalability
  • An understanding of how to write code that is not only secure but scales to a large number of users and systems.

General Requirements for Security Engineer roles

• You have a passion for security and open source
• You are a team player, and enjoy collaborating with cross-functional teams
• You are a great communicator
• You employ a flexible and constructive approach when solving problems
• You share our values , and work in accordance with those values
• Ability to use GitLab

Levels of Security Engineer roles Intermediate Security Engineer

• Leverage understanding of fundamental security concepts
• Triages/handles basic security issues
• Be positive and solution oriented
• Good written and verbal communication skills
• Constantly improve product security

Job Grade The Security Engineer is a grade 6 .Senior Security Engineer The Senior Security Engineer role extends the Intermediate Security Engineer role.

• Leverages security expertise in at least one specialty area
• Triages and handles/escalates security issues independently
• Conduct security architecture reviews and makes recommendations
• Great written and verbal communication skills
• Interview security candidates during hiring process

A Senior Security Engineer may decide to pursue the security engineering management track at this point, should they wish to. See Engineering Career Development for more detail on the tracks available for Senior Engineers.Job Grade The Senior Security Engineer is a grade 7 .Staff Security Engineer The Staff Security Engineer role extends the Senior Security Engineer role.

• Recognized security expert in multiple specialty areas, with cross-functional team experience
• Make security architecture decisions
• Provide actionable and constructive feedback to cross-functional teams
• Implement security technical and process improvements
• Exquisite written and verbal communication skills
• Author technical security documents
• Author questions/processes for hiring and screening candidates
• Write public blog posts and represent GitLab as a speaker at security conferences

Job Grade The Staff Security Engineer is a grade 8 .Distinguished Security Engineer TBDJob Grade The Distinguished Security Engineer is a grade 10 .Specialties for Security Engineer roles Security Research Security research specialists are subject matter experts (SME) that conduct research in their area of expertise to protect GitLab the product and GitLab company assets. They are also encouraged to participate in the larger security community through blog posts and participation in industry conferences. Responsibilities for this specialty include:

• Conduct research in their area of expertise to protect GitLab and GitLab.com assets.
• Research security posture of FOSS tools that are integrated with GitLab.
• Report findings to tool developers and track mitigation process, following responsible disclosure guidelines .
• Author blogs posts and presentations on vulnerabilities discovered and their area of expertise.
• Support other GitLab initiatives as a SME.
• Author documentation and/or tooling for security training.

Application Security Application Security specialists work closely with development teams, product managers (PM), and third-party groups (including the paid bug bounty program) to ensure that GitLab products are secure.Application Security Responsibilities

• Perform vulnerability management and be a subject matter expert (SME) for mitigation approaches.
• Support and evolve the bug bounty program.
• Conduct risk evaluation of GitLab product features.
• Conduct application security reviews, including code review and dynamic testing.
• Participate in initiatives to holistically address multiple vulnerabilities found in a functional area.
• Develop security training and socialize the material with internal development teams.
• Develop automated security testing to validate that secure coding best practices are being used.
• Facilitate preparation of both critical and regular security releases
• Guide, advise, and assist product development teams as SMEs in the area of application security.
• Assist with recruiting activities and administrative work

Application Security Requirements

• Familiarity with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications
• Some development experience (Ruby and Ruby on Rails preferred; for GitLab debugging)
• Experience with OWASP, static/dynamic analysis, and common exploit tools and methods
• An understanding of network and web related protocols (such as, TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
• Familiarity with cloud security controls and best practices

Security Automation By leveraging diverse technologies and an automation first approach, the Security Automation team strives towards improving the efficiency, effectiveness, and accuracy within GitLabs Information Security program with a focus on cost savings. Examples include the creation of automated security issue triage and management solutions, automating handling of repetitive tasks, and defining re-usable security automation architectures. Additionally, the Security Automation team will assist other security specialty teams with automation efforts they are leading and developing through the assessment of automation tools, and integration tools and technologies to support automation efforts as needed.Security Automation Responsibilities

• Design, engineer, deploy, and maintain custom automation products
• Build security tooling and automation for internal use that enable the Security Department to operate at high speed and wide scale
• Define and own metrics and key performance indicators to determine the effectiveness of the Security Automation program
• Collaborate with product teams to ensure that the GitLab product meets security automation requirements for ourselves and our users.

Security Automation Requirements

• Previous experience on a Security Operations, Software Development, or Automation team
• Scripting/coding experience with one or more languages - Python, Ruby, and/or Golang experience a plus
• Extensive knowledge of Internet security issues, automation or software engineering technologies, cloud architectures, and threat landscape concepts
• Solid understanding of the Software as a Service (SaaS) model
• Solid understanding of the DevOps model
• Experience with Cloud Computing Platforms - GCP experience a plus
• Experience with Kubernetes a plus
• Experience with infrastructure as code processes and tools a plus

,