Your work will shape GitLab's enterprise security posture in the rapidly growing software supply chain security market. You'll focus on SLSA Level 3 compliance, secrets management, CI/CD security hardening, and the foundations of GitLab's global zero trust architecture.

Some examples of our projects:

• SLSA Level 3 compliance and provenance attestation across GitLab's CI/CD platform
• Integrated secrets management and runner security for container-isolated, secure pipelines

You'll lead the end-to-end software supply chain security architecture for GitLab's CI/CD platform, including SLSA Level 3 implementation and CI infrastructure hardening. You'll drive cross-team technical strategy and decisions across our Software Supply Chain Security (SSCS) stage teams, aligning engineering work to SSCS strategic plans.

You'll collaborate with infrastructure and CI/CD teams to design and land long-term initiatives for secure, scalable runner architecture, container isolation, and pipeline security at scale. You'll propose and validate technical implementations that support architectural changes to improve CI/CD scaling and performance on critical paths.

You'll teach, mentor, and coach Staff Engineers and individual contributors, raising the bar on supply chain threat modeling, secrets management, artifact signing, and SBOM lifecycle practices.

You'll partner with Engineering Managers and senior leadership to define roadmaps, break down complex initiatives, and enable Staff Engineers to lead sub-department-wide efforts.

You'll engage with customers and external stakeholders as a technical consultant and spokesperson for GitLab's software supply chain security capabilities and roadmap.

You'll collaborate with product, security, and compliance stakeholders to ensure features meet enterprise security, governance, and regulatory expectations in the software supply chain security market.

Key responsibilities include:

• Providing architectural leadership across multiple engineering teams
• Shaping GitLab's enterprise security posture in the rapidly growing software supply chain security market
• Focusing on SLSA Level 3 compliance, secrets management, CI/CD security hardening, and the foundations of GitLab's global zero trust architecture

Key requirements include:

• Deep expertise in software supply chain security, including threat modeling for supply chain attack vectors, SLSA implementation and attestation systems, and SBOM generation and lifecycle management
• Strong knowledge of artifact signing and verification using the Sigstore ecosystem, including Cosign, Fulcio, Rekor, and in-toto attestations
• Experience designing and hardening CI/CD security, such as runner isolation, pipeline security controls, and secrets management in large-scale environments

Preferred qualifications include:

• Background in distributed systems and infrastructure, including building resilient CI/CD platforms that process high pipeline volumes and optimizing performance for critical paths
• Practical experience with container security and Kubernetes security, including admission controllers, policy controllers, workload isolation, and registry hardening
• Proficiency in Go or Rust in a production environment, combined with expert-level understanding of CI/CD workflows and DevSecOps best practices
• Experience operating as a Principal or Staff Engineer across multiple development teams, providing architectural leadership and partnering with Engineering Managers and senior leaders
• Demonstrated capacity to clearly communicate complex problems and solutions

Our Software Supply Chain Security stage engineering teams are responsible for authentication and access within GitLab. We also build features that help customers manage vulnerabilities, dependencies, security policies, and compliance frameworks across their organizations.

The base salary range for this role's listed level is currently for residents of the United States only. This range is intended to reflect the role's base salary rate in locations throughout the US. Grade level and salary ranges are determined through interviews and a review of education, experience, knowledge, skills, abilities of the applicant, equity with other team members, alignment with market data, and geographic location. The base salary range does not include any bonuses, equity, or benefits.

XML job scraping automation by YubHub

Responsibilities: Conduct in-depth code reviews and static analysis to identify and mitigate security vulnerabilities in our applications Design and implement secure coding guidelines and best practices for development teams Collaborate closely with development teams to integrate security practices throughout the CI/CD pipeline Perform threat modeling and risk assessments for applications, developing mitigation strategies for potential risks Manage vulnerability tracking and remediation efforts, providing guidance to development teams Support incident response activities related to application security Stay current on emerging security threats and trends in cloud-native technologies and AI, continuously enhancing our security measures Evaluate and secure software supply chains, including producing and maintaining Software Bills of Materials (SBOMs) Address security concerns specific to AI and machine learning models, with a focus on the OWASP LLM Top 10

Basic Qualifications: Bachelor's degree in Computer Science, Cybersecurity, or a related field 3-5 years of experience in application security, with a strong focus on code security practices Deep understanding of secure coding practices, application security frameworks, and common vulnerabilities (e.g., OWASP Top 10) Proficiency in Python or Rust programming languages and experience with secure coding practices in these languages Experience securing CI/CD pipelines and implementing DevSecOps practices Familiarity with software supply chain security and SBOM generation tools Experience with security testing tools (e.g., Burp Suite, OWASP ZAP) and static/dynamic code analysis Understanding of AI/ML security implications, particularly those outlined in the OWASP LLM Top 10 Excellent communication skills, able to explain complex security issues to both technical and non-technical audiences

Preferred Skills and Experience: Experience with cloud platforms (e.g., GCP, AWS, Azure) and their security features Relevant security certifications (e.g., CSSLP, OSWE) Background in data privacy and compliance regulations relevant to cloud-native applications and AI systems Experience with GitOps and infrastructure-as-code security Familiarity with federated learning and privacy-preserving machine learning techniques Experience in building custom security tooling to enhance and automate security processes Interest in leveraging AI to automate security tasks and improve efficiency Contributions to open-source security projects or tools Experience in securing AI/ML models and data pipelines

Compensation and Benefits: $200,000 - $340,000 USD Base salary is just one part of our total rewards package at xAI, which also includes equity, comprehensive medical, vision, and dental coverage, access to a 401(k) retirement plan, short & long-term disability insurance, life insurance, and various other discounts and perks.

XML job scraping automation by YubHub

As a Security Engineer, you will be the technical authority on how Saronic builds, ships, and runs secure software. You will lead secure code review, SAST, DAST, and fuzzing efforts, and define secure coding standards for Rust development including memory safety practices, safe FFI boundaries, and secure error handling.

You will conduct threat modeling for software systems and translate findings into actionable security requirements integrated into design reviews and sprint planning. You will drive vulnerability management for software dependencies, including tracking, prioritization, and remediation of vulnerabilities in third-party crates and libraries.

You will secure and harden NixOS configurations for vessel platforms and development infrastructure, leveraging Nix's reproducibility and declarative model for security enforcement. You will design system hardening profiles in NixOS including kernel hardening, service isolation, mandatory access controls, and minimal attack surface configurations.

You will define and enforce package management and dependency policies within the Nix ecosystem, ensuring build closures are auditable, reproducible, and free from unauthorized or vulnerable packages. You will architect secure system update and rollback mechanisms using NixOS capabilities, ensuring fleet-wide consistency and integrity.

You will design and implement security controls across the CI/CD pipeline including source integrity, build isolation, artifact signing, and deployment verification with build environments that are ephemeral, isolated, and hardened.

You will build and maintain software supply chain security practices aligned to SLSA framework principles, including provenance tracking, hermetic builds, signed attestations, and SBOM generation.

You will integrate security scanning (SAST, SCA, container scanning, secrets detection) into CI/CD pipelines as automated guardrails, and create self-service pipeline templates that enable teams to ship without bottlenecks.

You will design secure deployment patterns for vessel software updates, including secure delivery, integrity verification, and rollback capabilities.

You will implement runtime application security controls including logging, monitoring, and anomaly detection for deployed services.

You will define software and systems security standards, patterns, and reference architectures that engineering teams adopt as the default secure path.

XML job scraping automation by YubHub