Principal Security Engineer, Application Security

About GitLab

GitLab is an open-core software company that develops the most comprehensive AI-powered DevSecOps Platform, trusted by over 100,000 organizations. Our mission is to empower everyone to contribute to and co-create the software that powers our world. When contributions are universal, consumers become active contributors, significantly accelerating human progress. Our platform unites teams and organizations, breaking down barriers and redefining what's possible in software development. With products like Duo Enterprise and Duo Agent Platform, customers gain AI benefits across every stage of the SDLC.

The principles embedded in our products also define our team's way of working: we embrace AI as a core productivity multiplier, expecting all team members to integrate AI into their daily workflows for enhanced efficiency, innovation, and impact. GitLab is a place where careers thrive, innovation flourishes, and every voice is valued. Our high-performance culture is driven by our values and continuous knowledge exchange, enabling team members to reach their full potential while collaborating with industry leaders to solve complex problems. Join us in co-creating the future as we build technology that transforms software development globally.

An Overview of the Principal Security Engineer, Application Security Role

The Application Security + Response (ASR) subdepartment collaborates with GitLab engineers and product teams to proactively prevent the introduction of vulnerabilities during design and development, ensuring the delivery of high-quality software that GitLab customers can trust. We are also responsible for identifying, assessing, and responding to security vulnerabilities discovered in GitLab products and services, reported through Coordinated Vulnerability Disclosure practices.

As a Principal Security Engineer, Application Security, you will report to the Senior Director of Application Security + Response and be instrumental in driving complex, strategic security engineering solutions.

What You'll Do

• Drive the resolution of systemic vulnerability classes and mitigations across the GitLab platform.
• Perform difficult and highly complex application security reviews and threat modeling.
• Conduct vulnerability research, exploring the full impact of security issues and demonstrating proof-of-concept exploitation in controlled environments.
• Provide technical security leadership, defining and establishing secure development practices, "Paved Roads," and security standards to support Product and Engineering teams in delivering secure features efficiently.
• Offer technical leadership during security crisis situations and major incident response.
• Contribute significant technical expertise to long-term security architecture and strategic product design.

What You’ll Bring

• Ability to use GitLab effectively.
• Bachelor's degree or equivalent in Computer Science or equivalent practical education (including technical bootcamp training programs) and experience.
• 8+ years of professional experience in Application Security or Vulnerability Research.
• Expert-level understanding of computer code, including how to detect and remediate classes of security defects, such as race condition-based logic vulnerabilities.
• Programming experience in one or more coding languages, with a preference for Ruby, Ruby on Rails, Go, TypeScript, and familiarity with GraphQL APIs. Professional developer code quality is not required, but the ability to build and understand code for developing PoC exploits, performing security review, or fix validation work is a requirement.
• Expert-level knowledge of application security concepts such as OWASP Top 10 bug types, the STRIDE model, CVSS scoring, and Threat Modeling assessments.
• Experience with application security practices including code review, threat modeling, static and dynamic analysis (SAST, DAST), attack surface analysis, or performing Application Penetration Testing / Vulnerability Research / Bug Bounty Hunting.
• Strong knowledge of security challenges, risks, and threats related to CI/CD Pipeline security, supply chain security, and API security.
• Ability to discover and identify fixes for SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities is strongly preferred.
• Ability to provide subject matter expertise on software architecture design and system security.
• Flexible, effective, and inclusive communication skills that create clarity; you will collaborate with technical and nontechnical audiences across multiple teams on security bug types and how to mitigate or remediate security issues.
• Proficiency in the English language, both written and verbal, sufficient for success in a remote and largely asynchronous work environment.
• Demonstrated critical and creative thinking, while also being an effective member of a team, with a flexible and constructive approach to problem solving that helps you navigate ambiguity and drive results.
• Demonstrated ability to influence security decisions at executive and senior leadership levels.
• Experience coaching and supporting the development of more junior engineers.

How GitLab Will Support You

• Benefits to support your health, finances, and well-being.
• Flexible Paid Time Off.
• Team Member Resource Groups.
• Equity Compensation & Employee Stock Purchase Plan.
• Growth and Development Fund.
• Parental leave.
• Home office support.

Key skills/competency

• Application Security
• Vulnerability Management
• Threat Modeling
• Secure Development Lifecycle (SDLC)
• Static/Dynamic Analysis (SAST/DAST)
• Incident Response
• Ruby/Go/TypeScript
• OWASP Top 10
• CI/CD Security
• API Security