Application Security Engineer or Senior Application Security Engineer (US Federal)

This Application Security Engineer or Senior Application Security Engineer position is 100% remote for someone located in the USA. We can only consider US citizens at this time.

It’s an exciting time to join our team. We're the world’s largest all-remote company, and we've been intentionally building our culture this way from the start. We are an ambitious, productive team that embraces a set of shared ​values​ in everything we do.

Application Security Engineers work closely with development teams, product managers (PM), and third-party groups (including the paid bug bounty program) to ensure that GitLab products are secure.

We are looking for an Application Security Engineer to review JiHu contributions, work with and triage security reports from US government organizations, and support our Public Sector team from an application security point of view.

The culture here at GitLab is something we’re incredibly proud of. Some of the benefits you’ll be entitled to vary by the region or country you’re in. However, all GitLab team members are fully remote and receive a "no ask, must tell" paid-time-off policy, where we don’t count the number of days you take off annually -- instead, we focus on your results. You can work the hours you choose, enabled by our asynchronous approach to communication. You can also expect stock options and a competitive salary. Our compensation calculator will be shared with selected candidates before any interview.

Diversity, Inclusion, and Belonging (DIB) are fundamental to the success of GitLab. We want to infuse DIB in every way possible and in all that we do. We strive to create a transparent environment where all team members around the world feel that their voices are heard and welcomed. We also aim to be a place where people can show up as their full selves each day and contribute their best. With more than 100,000 organizations using GitLab, our goal is to have a team that is representative of our users.

What you'll do in this role:

• Participate in and support application security reviews and threat modeling, including code review and dynamic testing.
• Own and perform application security vulnerability management.
• Support the bug bounty program.
• Facilitate and support the preparation of security releases.
• Support and consult with product and development teams in the area of application security.
• Assist in the creation of security training.
• Assist in the development of automated security testing to validate that secure coding best practices are being used.
• Lead and perform application security reviews on all contributed code from GitLab Information Technology (Hubei) Co., Ltd. (JiHu, pronounced "G Who").
• Work with and triage security reports from US government organizations and associated contractors.
• From an Application Security perspective, support our Federal Sales and Public Sector teams.
• Auxillary responsibilities include those general to the Application Security Engineer role.

As a Senior Application Security Engineer you will also:

• Support and evolve the bug bounty program.
• Lead both critical and regular security releases.
• Lead application security reviews and threat modeling, including code review and dynamic testing.
• Lead in development of automated security testing to validate that secure coding best practices are being used.
• Guide and advise product development teams as SMEs in the area of application security.
• Assist with recruiting activities and administrative work.
• Develop security training and socialize the material with internal development teams.
• Participate and assist in initiatives to holistically address multiple vulnerabilities found in a functional area.

You should apply if you bring:

• Ability to use GitLab.
• Familiarity with common security libraries, security controls, and common security flaws.
• Basic development or scripting experience and skills. Ruby and Ruby on Rails is preferred.
• Experience with OWASP, static/dynamic analysis, and common security tools.
• A basic understanding of network and web related protocols (such as TCP/IP, UDP, IPSEC, HTTP, HTTPS, protocols).
• Familiarity with cloud security controls and best practices.
• Experience working with developers.
• Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
• A United States citizenship.
• Residence in one of the 50 states of the United States of America.
• Ability to conduct all GitLab related work within the United States of America.
• Experience working for or closely with the United States government or associated contractors.
• Ability and willingness to obtain a federal security clearance should it be necessary to perform job responsibilities.
• Experience working with Defense Information Security Agency (DISA) Security Technical Implementation Guides (STIGs).
• Successful completion of a background check.

If applying as a Senior, you should apply if you also bring:

• Strong understanding and experience with common security libraries, security controls, and common security flaws.
• Some development or scripting experience and skills. Ruby and Ruby on Rails is preferred.
• Be a subject matter expert (SME) of at least 1 technical area impacting the security of the product.
• Strong experience working closely with developers.

Also, we know it’s tough, but please try to avoid the ​​confidence gap​.​​ You don’t have to match all the listed requirements exactly to be considered for this role.

Our hiring process for this Application Security Engineer position typically follows four stages. The details of this process and our leveling structure can be found on our job family page.

Country Hiring Guidelines

Please visit our Country Hiring Guidelines page to see where we can hire.

Your Privacy

For information about our privacy practices in the recruitment process, please visit our Recruitment Privacy Policy page.