Senior Security Engineer - Remote

The high-level categories are:

• Managing the security engines
  Making sure they are up-to-date, revisiting the rule curation, writing new rules, tuning false positives. Writing new engines for other programming languages (essentially wrappers for open source tools). But this will also cover new scanning techniques such as DAST, Container scans, infrastructure scans and cloud platform scans.
• Performing security tests 
  Against GuardRails on the source code, runtime, and infrastructure level and make sure that issues will be detected by GuardRails in the future (where possible). Completed OSCP or similar certifications will come in handy here.
• Research & Development 
  Support the machine learning initiative, research new ways how GuardRails can be improved, and share your learnings from 1/2/3 in blog posts, white papers, and other ways.

Your duties include the following:

• Perform penetration tests, code review, threat modelling of the entire GuardRails infrastructure and actively help making it secure.
• Manage all security testing engines and ensure they are continuously updated and improved (new rules, lower false positives). This includes supporting the addition of new scanning technologies (Docker scanning, DAST, Runtime monitoring, cloud infra security, CI/ CD security, security requirements etc)
• Help visualize security data for different stakeholders (CEO, CISO, VP Engineering,  etc. ) via our dashboard. Support interview of stakeholders (reddit, users, customers, ...) about metrics and insights they would like to see.
• Participate in research of applied machine learning to find vulnerabilities, identify fixes and suggest auto fixes.
• May include figuring out how to create auto-exploits that result in automated tests for vulnerabilities.
• Create white-papers, blog posts, and other resources to share GuardRails cutting edge technology and your research findings.
• Regular management reporting of product status
• Ensure all documentation relating to your product contributions are up-to-date
• Support hiring and interview processes

You have 5+ years of experience in security testing and securing production-level web applications, including:

• Great security engineering experience across the board with a strong knowledge in at least three programming languages
• Practical experience with securing containers
• Practical experience with securing cloud environments such as AWS or GCP
• Ability to rapidly apply your existing knowledge in new domains and new technologies
• Knowing the difference between relevant security vulnerabilities and noise
• Ability to determine false positives and codifying patterns to avoid them

If you have some of these skills, even better:

• Worked as security engineer in software development teams
• Experience with CI/CD for production environments