Security Engineers at GitLab work on securing our product and on internal security. On the product side, this includes the open source version of GitLab, the enterprise editions, and the GitLab.com service. Security Engineers work with peers on cross-functional teams dedicated to areas of the product. They also work together with product managers, developers, and the infrastructure teams to solve common goals.
Security research specialists conduct internal testing against GitLab assets, and against FOSS that is critical to GitLab products and operations. Initiatives for this specialty also include:
- Conduct vulnerability research against all GitLab and GitLab.com assets
- Research FOSS tools that are integrated with GitLab
- Develop proof-of-concept code to be included in security findings
- Report findings to tool developers and track mitigation process
- Follow responsible disclosure policies for community disclosure
- Author blog posts on vulnerabilities discovered
You have a passion for security and open source
You are a team player, and enjoy collaborating with cross-functional teams
You are a great communicator
You employ a flexible and constructive approach when solving problems
Ability to professionally handle communications with outside researchers, users, and customers.
Ability to communicate clearly on technical issues.
An understanding of how to write code that is not only secure but scales to a large number of users and systems.
Familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications.
Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
Knowledge of browser-based security controls such as CSP, HSTS, XFO.
Experience with standard web application security tools such as Arachni, Brakeman, and BurpSuite.
You share our values, and work in accordance with those values
Develop security training and guidance to internal development teams
Provide subject matter expertise on architecture, authentication and system security
Assess security tools and integrate tools as needed, particularly open-source tools
Assist with recruiting activities and administrative work
There should also be time to participate in development of GitLab.
Proactively identify and reduce security risks.
Find and remove outdated and vulnerable code and code libraries.
Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.
Handle communications with independent vulnerability researchers and design appropriate mitigation strategies for reported vulnerabilities.
Educate other developers on secure coding best practices.