Senior Security Engineer (Remote)

GuardRails provides continuous security feedback that empowers developers to find, fix, and prevent vulnerabilities and enables teams to create web and mobile applications securely, without needing external expertise.

As GuardRails continues to grow, we are building a team of security engineers that have the autonomy to improve the security engines and security scanning technologies of our platform. Any improvement and new feature that is added to our platform is immediately available to thousands of businesses around the globe.

At GuardRails we are establishing a truly distributed team and as such, besides the technical requirements below, we are looking for people that are proactive, with excellent communication skills and the ability to work on tasks independently.

As a security engineer, you play a critical role in directly influencing the quality of the GuardRails security scanning platform as well as ensuring it’s security and the security of our thousands of users and customers.

You are a highly motivated, analytically driven security expert who understands all flavors of software development lifecycles as well as modern DevOps approaches and cloud infrastructure. Although you have experience as a penetration tester and/or bug bounty hunter, you don’t like the inefficiencies of identifying vulnerabilities at the end of the lifecycle, in production, but would rather empower developers to find, fix and prevent vulnerabilities when they are being introduced into the code base.

You have 5+ years of experience in security testing and securing production-level web applications, including:

• Great security engineering experience across the board with a strong knowledge in at least three programming languages
• Practical experience with securing containers
• Practical experience with securing cloud environments such as AWS or GCP
• Ability to rapidly apply your existing knowledge in new domains and new technologies
• Knowing the difference between relevant security vulnerabilities and noise
• Ability to determine false positives and codifying patterns to avoid them

If you have some of these skills, even better:

• Worked as security engineer in software development teams
• Experience with CI/CD for production environments.
• Experience with agile software development methodologies like Kanban or Scrum

The high-level categories are:

1. Managing the security engines
   Making sure they are up-to-date, revisiting the rule curation, writing new rules, tuning false positives. Writing new engines for other programming languages (essentially wrappers for open source tools). But this will also cover new scanning techniques such as DAST, Container scans, infrastructure scans and cloud platform scans.
2. Performing security tests
   Against GuardRails on the source code, runtime, and infrastructure level and make sure that issues will be detected by GuardRails in the future (where possible). Your OSCP will come in handy here.
3. Research & Development
   Support the machine learning initiative, research new ways how GuardRails can be improved, and share your learnings from 1/2/3 in blog posts, white papers, and other ways.

Your duties include the following:

• Perform penetration tests, code review, threat modelling of the entire GuardRails infrastructure and actively help making it secure.
• Manage all security testing engines and ensure they are continuously updated and improved (new rules, lower false positives). This includes supporting the addition of new scanning technologies (Docker scanning, DAST, Runtime monitoring, cloud infra security, CI/ CD security, security requirements etc)
• Help visualize security data for different stakeholders (CEO, CISO, VP Engineering, etc. ) via our dashboard. Support interview of stakeholders (reddit, users, customers, ...) about metrics and insights they would like to see.
• Participate in research of applied machine learning to find vulnerabilities, identify fixes and suggest auto fixes.
• May include figuring out how to do create auto exploits that result in automated tests for vulnerabilities.
• Create white-papers, blog posts, and other resources to share GuardRails cutting edge technology and your research findings.
• Regular management reporting of product status
• Ensure all documentation relating to your product contributions are up-to-date
• Support hiring and interview processes

GuardRails, an application security platform, provides a unique blend of scanning capabilities that can be deployed across entire organizations in minutes. Modern development teams can uncover critical vulnerabilities in their applications and rectify them before attackers are able to abuse them.

GuardRails currently integrates 20 finely-tuned scanning engines that support 9 of the most common programming languages and is trusted by over 700 teams around the world.

Software is transforming the world, and we’re ensuring that businesses can make that change securely. With unique insights into application security a strong strategy in place, secured funding and a vision to make security a commodity we will soon be an established and recognized brand for engineering teams and organizations around the world. This is a great opportunity to join an early-stage cybersecurity startup composed of experienced individuals, supported by key players in the industry, and loved by its users.

We believe that the unique contributions of everyone at GuardRails is the driver of our success. To make sure that our product and culture continue to incorporate everyone's perspectives and experience we never discriminate on the basis of race, religion, national origin, gender identity or expression, sexual orientation, age, or marital, veteran, or disability status.

We value diversity at GuardRails, and encourage applications from those who are traditionally underrepresented in tech. If you are interested in this role but are not totally sure whether you're the right person, do apply anyway or reach out to us directly.