This position is remote based.
GitLab is building a research team that will focus on improving GitLab’s security detection capabilities, including SAST/DAST and future products. For more information about our security products, please review: https://about.gitlab.com/direction/secure/ and https://about.gitlab.com/direction/defend/
This team will work directly with the GitLab Security, Development, and Product teams to build, tune and improve the efficacy of GitLab’s of security products that are integrated into GitLab.
Senior Vulnerability Research Engineers are responsible for performing deep assessments of software and web application vulnerabilities, tracking exploit code releases and exploitation activities, and the creation of detailed and actionable reports in support of our global commercial and government customers.
- Dedicate all bandwidth to dogfooding and contributing directly to the Secure and Defend products
- Curate an advisory database/dependency scanning database. This is a semi-automatic task that includes auditing/reviewing, editing existing and adding new advisories to the database while, at the same time, trying to automate repetitive tasks away as much as possible.
- Build/develop benchmarks to test the efficacy of scanning and detection products
- Measure and Improve the efficacy of scanning and detection products over time
- Conduct code review of Ruby and Go backend code
- Build/develop/improve solutions in the area of static and dynamic analysis as well as future features/projects
- Write detailed technical reports
- Assess security product output results and conduct root cause analysis to improve efficacy
- Respond to internal and external customer inquiries on vulnerabilities and related topics
- This is NOT a Security Operations or Application Security position
- 2+ years of direct experience in developing and improving vulnerability detection products in the context of web security
- Understanding of software composition analysis
- Knowledge about compilers/compiler construction
- Experience with source code analysis, static application security testing (SAST), and dynamic application security testing (DAST)
- Knowledge about benchmarking for testing the efficacy of scanning and detection products
- Experience developing automated web security testing tools
- Experience completing code reviews of Ruby and Go backend code
- Experience in product development
- You have a passion for security and open source
- You are a team player, and enjoy collaborating with cross-functional teams
- You are a great communicator (written and verbal)
- You employ a flexible and constructive approach when solving problems
- You share our values and work in accordance with those values
- Experience with abstract interpretation/ reverse-engineering
- Experience with binary analysis
Please view the compensation range for this role at the bottom of the position description.