Invest in your career with a Madrona-funded company.


Staff Security Software Engineer



Software Engineering
North America · Remote
Posted on Saturday, September 16, 2023

StackLok is an innovative software supply chain security startup founded by Kubernetes co-founder, Craig McLuckie and Sigstore founder, Luke Hinds. Our mission is to make it easier to securely develop software. With our deep expertise in open-source technologies and commitment to enhancing software security, we are seeking highly skilled and motivated individuals to join our team. This is a rare opportunity to join a startup at an early stage, and to be part of a team that is committed to building something truly innovative and impactful. Learn more about StackLok’s mission, virtues, role and leadership here.

The Elevator Pitch:

As the Red Team Software Engineer Lead, you will be at the forefront of securing our cutting-edge software supply chain solutions. Reporting directly to the CTO, you will lead our red team operations, conduct penetration testing, and evaluate the overall security posture of our systems and infrastructure. Your expertise in software security analysis, combined with a proven track record in red teaming, will be instrumental in safeguarding our products and services.

In this Role, You will have the Opportunity to:

Lead Red Team Operations:

  • Design, plan, and execute red team exercises to assess the security resilience of our software supply chain solutions.
  • Conduct comprehensive assessments of open-source projects, identifying vulnerabilities and potential supply chain attacks.
  • Collaborate with cross-functional teams to simulate real-world attacks, test defenses, and improve security measures.
  • Author threat models and map out attack vectors.
  • Stay current on the latest threats to the software supply chain, and work with engineering leadership and product management to ensure that the Stacklok product line is evolving to address emerging threat vectors.

Penetration Testing and Vulnerability Assessment:

  • Perform rigorous penetration testing and vulnerability assessments on our software supply chain solution and the cloud configuration we use to deploy to our infrastructure.
  • Utilize advanced tools and methodologies to identify and exploit vulnerabilities in software components.
  • Automate CI driven security testing using SAST, and Fuzzing approaches
  • Review code for security impact / risks.

Bug Bounty Program Management:

  • Establish and manage a bug bounty program
  • Engage with external security researchers and the open-source community to receive and triage vulnerability reports.
  • Evaluate and validate vulnerability findings, providing detailed reports

Technical Leadership and Expertise:

  • Serve as a subject matter expert in offensive security, specializing in open-source and software supply chain security.
  • Stay up to date with the latest attack techniques, tools, and industry best practices related to software security and supply chain.
  • Provide technical guidance, mentorship, and support to team members, fostering a collaborative and innovative environment.

Desired Skills & Experience

  • Strong proficiency in software development and extensive experience with open-source projects.
  • Deep expertise in red teaming, penetration testing, and vulnerability assessments.
  • In-depth knowledge of software supply chain security, including understanding the risks associated with open-source components.
  • Familiarity with state-of-the-art tools and techniques used in red team operations and vulnerability assessments.
  • Proven track record of successfully identifying and exploiting vulnerabilities in complex systems.
  • Excellent written and verbal communication skills, with the ability to effectively convey technical concepts to diverse stakeholders.
  • Demonstrated leadership skills, with the ability to motivate and lead a team of security professionals.
  • Professional certifications such as Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), or Certified Information Systems Security Professional (CISSP) are highly desirable.
  • Experience with Go and Javascript, and expertise with security protocols such as OAuth2, asymmetric / symmetric encryption, PKI / X509, secure cookies. Hashing algorithms such as Argon2, bcrypt
  • Experience with Open source communities, for example OWASP, OpenSSF, Linux Foundation projects.

Why Join Us?

At Stacklok, you will be a part of a culture that values open communication, collaboration, and innovation. We offer a competitive salary package and flexible work hours. If you’re a self-motivated and result-driven individual with a passion for designing and building secure, scalable, distributed systems, and you want to be part of the most exciting startup in the secure supply chain space, come and join us!

Stacklok Inc, is proud to be an equal opportunity employer. We are committed to providing equal employment opportunities for all people and place great value in both diversity and inclusiveness. All qualified applicants will be considered for employment without regard to their, or any other person's, perceived or actual race, color, religion, sex, gender, gender identity, gender expression, sexual orientation, national origin, ancestry, citizenship, age, physical or mental disability, medical condition, family care status, or any other basis protected by law.