Senior Security Engineer, Application Security (AMER)

Bachelor's degree or equivalent in Computer Science or equivalent practical education and experience. 5+ years professional experience in a computer technology field including IT, technical support, or engineering. Very good understanding of computer code and how to detect and remediate classes of security defects. Programming experience in one or more coding languages, with a preference for Ruby on Rails or Go languages. Comfortable in shell scripting to automate recurring work or build PoC exploits. Strong knowledge of application security concepts such as OWASP Top 10 bug types, the STRIDE model, CVSS scoring, and Threat Modeling assessments. Experience with application security practices including code review, threat modeling, static and dynamic analysis (SAST, DAST), and attack surface analysis. Experience performing Application Penetration Testing or Vulnerability Research / Bug Bounty Hunting. Ability to provide subject matter expertise on software architecture design and system security. Familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications. Demonstrated ability to learn new technical concepts in cloud and web application security assessment. Flexible, effective, and inclusive communication skills. Proficiency in the English language, both written and verbal. Demonstrated critical and creative thinking. Comfortable using Git. Experience with standard web application security tools such as Brakeman and BurpSuite.

Conduct security-focused application design and architecture reviews, threat modeling, code review, and security testing assessment. Propose and establish secure development practices, identify and develop Paved Roads and security standards. Help secure GitLab by using and providing customer feedback on platform features. Secure our software supply chain and improve security workflows and controls. Identify and drive team maturity opportunities in processes, metrics, workflows and automations.