An overview of this role
We are looking for an experienced Red Teamer who specializes in CI/CD and software supply chain attacks. You will have worked in an offensive-security role, planning and executing these attacks in modern DevOps environments. Additionally, you will have established yourself as an expert in this area with public blogs, conference talks, and/or open-source tooling.
Your expertise will help round off the capabilities of our existing team members, and you will work together on a range of attack operations. You will also be given the time and resources to pursue your specialty. We want you to get creative, planning and executing attacks against GitLab.com, CI/CD pipelines, and all the critical components of software delivery.
We will encourage you to share your research publicly, providing you with an opportunity to further establish yourself as an expert in the field. Our team is incredibly transparent, and the resources we share are used by security organizations around the world.
We want you to help us be industry leaders at attacking and defending CI/CD and software supply chains. Apply now, and tell us how you will make that happen.
Some examples of the work we do:
What you’ll do
- Propose, plan, and execute Red Team operations based on realistic threats to the organization
- Automate attack techniques, creating custom tooling for specific operations and contributing to general-purpose open source tools
- Write detailed reports covering the goals and outcomes of Red Team operations, including significant observations and recommendations
- Collaborate with GitLab’s Security Incident Response Team (SIRT) to improve detection and response capabilities
- Collaborate with GitLab’s Infrastructure Security Team to propose defensive improvements to cloud environments
- Collaborate across multiple product teams to propose enhancements and additions to GitLab’s SaaS and self-hosted offerings
- Collaborate with non-technical teams to propose process and policy enhancements and additions
- Stay informed on current security trends, advisories, publications, and academic research that is relevant our organization
What you’ll bring
- Experience conducting Red Team (adversary emulation) operations attacking CI/CD systems and software supply chains
- Deep knowledge of how software developers work and how they may be targeted
- Public examples of blogs, conference talks, and open-source tooling demonstrating your expertise in CI/CD and supply chain attacks
- Experience deploying, managing, and operating a Command & Control (C2) framework
- Senior-level command-line skills with Linux-based operating systems
- Ability to automate tasks by writing basic scripts/programs - we often use Python and Go
- Ability to read and understand multiple programming languages, especially Ruby and Go
- Hands-on experience with at least one of the major cloud providers (GCP, AWS, Azure)
- An adversarial mindset - you must be able to put yourself in the mind of the attacker
- Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner
About the team
GitLab’s internal Red Team conducts security exercises that emulate real-world threats. We do this to help assess and improve the effectiveness of the people, processes, and technologies used to keep our organization secure. The Red Team does not perform penetration tests, and the work we do is not focused on delivering a list of vulnerabilities in a specific application or service.
Malicious actors are not constrained by the narrow focus of traditional security testing. We must take on this adversarial mindset in order to challenge our own assumptions and identify areas for improvement across our entire organization. We do this by emulating the real-world tactics, techniques, and procedures (TTPs) of threats that are most relevant to our environment. This approach allows groups across GitLab to practice detecting and responding to threats in a controlled manner. We can then better understand our current defensive capabilities and work to improve them before we are faced with the real thing.
Our team heavily values the focus on asynchronous communication at GitLab. We do like to catch up and chat about ongoing work, but we intentionally designed our processes to work 100% remotely and asynchronously. You can read more about this in our blog “How we run Red Team operations remotely”. Long story short - this means less meetings and more time for interesting work.
We also love GitLab’s transparency value, as it is rare in our line of work. Not only do we want you to find cool ways to break and attack things - we want you to share it with the world. We encourage public sharing of new attack techniques, interesting research, and open-source attack tools.
How GitLab will support you
Please note that we welcome interest from candidates with varying levels of experience; many successful candidates do not meet every single requirement. Additionally, studies have shown that people from underrepresented groups are less likely to apply to a job unless they meet every single qualification. If you're excited about this role, please apply and allow our recruiters to assess your application.
Country Hiring Guidelines: GitLab hires new team members in countries around the world. All of our roles are remote, however some roles may carry specific location-based eligibility requirements. Our Talent Acquisition team can help answer any questions about location after starting the recruiting process.
Privacy Policy: Please review our Recruitment Privacy Policy. Your privacy is important to us.
GitLab is proud to be an equal opportunity workplace and is an affirmative action employer. GitLab’s policies and practices relating to recruitment, employment, career development and advancement, promotion, and retirement are based solely on merit, regardless of race, color, religion, ancestry, sex (including pregnancy, lactation, sexual orientation, gender identity, or gender expression), national origin, age, citizenship, marital status, mental or physical disability, genetic information (including family medical history), discharge status from the military, protected veteran status (which includes disabled veterans, recently separated veterans, active duty wartime or campaign badge veterans, and Armed Forces service medal veterans), or any other basis protected by law. GitLab will not tolerate discrimination or harassment based on any of these characteristics. See also GitLab’s EEO Policy and EEO is the Law. If you have a disability or special need that requires accommodation, please let us know during the recruiting process.