Invest in your career with a Madrona-funded company.


Senior Security Researcher



Remote · London, UK
Posted on Wednesday, December 6, 2023

StackLok is an innovative software supply chain security startup founded by Kubernetes co-founder, Craig McLuckie and Sigstore founder, Luke Hinds. Our mission is to make it easier to securely develop software. With our deep expertise in open-source technologies and commitment to enhancing software security, we are seeking highly skilled and motivated individuals to join our team. This is a rare opportunity to join a startup at an early stage, and to be part of a team that is committed to building something truly innovative and impactful. Learn more about StackLok’s mission, virtues, role and leadership here.

Elevator Pitch

As a Senior Security Analyst, you will play a crucial role in our research team. Your responsibilities will include utilizing Stacklok projects and conducting further research to identify potential threats and vulnerabilities within the software supply chain. You will collaborate closely with our research and engineering teams to stay informed about and anticipate the latest trends in supply chain attacks. This effort is essential to ensure that Stacklok continues to lead in providing cutting-edge software supply chain security solutions.

Additionally, your role will involve a deep dive into the patterns and behaviors of malicious packages and understanding their attack patterns. This expertise is critical in developing proactive strategies to identify and mitigate threats in open source software. You will also be responsible for analyzing software supply chain attacks, utilizing your knowledge in threat analysis, mitigation, and forensic investigation. By keeping abreast of the latest developments in software security and continuously enhancing your skills, you will contribute significantly to maintaining and improving Stacklok's robust security posture, making it resilient against evolving cyber threats.

Role Success: 6-12 Month Expectations

  • Familiarization and Integration: Acclimatize to the team, understanding the workflows, processes, and ongoing projects. This includes getting to know team members, the company culture, and the specific tools and technologies used by Stacklok.

  • Active Project Contribution: Start actively contributing to ongoing Stacklok projects, Trusty and Minder, applying your expertise in identifying and addressing security vulnerabilities, and taking on increasingly complex tasks as your understanding of Stacklok's projects grows.

  • Collaboration with Teams: Build strong collaborative relationships with the research and engineering teams, contributing valuable insights and suggestions for improvements to Stacklok projects.

  • Trend Analysis and Proactive Measures: Keep up-to-date with the latest trends in supply chain attacks, proactively suggesting measures to safeguard against these threats, helping Stacklok remain a leader in supply chain security.

  • Content Creation and Thought Leadership: Engage in publishing content such as blogs, videos, and participate in speaking engagements at tech events. This will establish you as a thought leader in the field and contribute to Stacklok's reputation as an industry leader.

  • Identification and Reporting of Supply Chain Attacks: Play a pivotal role in identifying and reporting on software supply chain attacks. This includes analyzing potential threats, documenting incidents, and developing response strategies. Within the first few months of joining, discover 3 novel supply chain attacks involving open source packages or DevOps tooling (for example GitHub actions) followed by responsible disclosure to community maintainers.

In this Role, You will have the Opportunity to:

  • Drive Advanced Security Research: Lead and engage in cutting-edge research to identify and analyze emerging threats and vulnerabilities in the software supply chain, contributing to the development of new security strategies and solutions.

  • Influence Security Policies and Protocols: Play a key role in shaping and influencing the security policies and protocols at Stacklok, ensuring that the company stays ahead of potential threats and maintains its leadership in supply chain security.

  • Engage in Thought Leadership: Share your insights and expertise through various platforms such as publishing blogs, creating instructional videos, and speaking at technology events, thereby contributing to the broader cybersecurity community.

  • Continuous Professional Development: Have access to professional development opportunities, including workshops, conferences, and training sessions, to stay abreast of the latest trends and advancements in cybersecurity.

  • Innovate and Challenge the Status Quo: Bring innovative ideas to the table, challenge existing practices, and contribute to the evolution of Stacklok's cybersecurity strategies and practices.

  • Work with Incredibly Talented People: Collaborate with a team of highly skilled and talented professionals at Stacklok, offering the chance to learn from and contribute to a group of top-tier experts in the field of software supply chain security.

We know from experience that not ticking every box on the skills sections stops many from applying. Please apply regardless of your self-assessment -- we want to hear from you! We have seen engineers succeed with a diverse range of skills and experiences.

Desired Skills & Experience

  • Expertise in Software Supply Chain Security: In-depth knowledge of all aspects of software supply chain security, including provenance and attestation, which are critical in tracing the origin and ensuring the integrity of software components.

  • Modern Software Development Practices: Proficiency in modern software development methodologies, particularly in the application of continuous integration and continuous delivery (CI/CD) processes, which are fundamental in today's fast-paced development environment.

  • Understanding Patterns and Behavior of Malicious Packages: Proficiency in identifying and understanding the patterns and behaviors associated with malicious software packages. This involves recognizing signs of compromised packages and the tactics, techniques, and procedures (TTPs) used by attackers.

  • Knowledge of Attack Patterns and Elements: Expertise in various attack patterns and elements such as privilege escalation, code injection, cross-site scripting, and other common vulnerabilities. This includes an understanding of how attackers exploit these vulnerabilities in the software supply chain.

  • Software Development: Proficiency in Go, Python, and JavaScript and other languages is useful for understanding malicious code and the attacks they perform.

  • Understanding of Open Source Software Package Internals: Familiarity with the internals of open source software packages, such as Node Package Manager (NPM), Python's Package Index (PyPI), Rust's crate registry, and Java's Maven repository. This includes understanding how these packages are structured, managed, and secured.

Why Join Us?

At Stacklok, you will be a part of a culture that values open communication, collaboration, and innovation. We offer a competitive salary package and flexible work hours. If you’re a self-motivated and result-driven individual with a passion for designing and building secure, scalable, distributed systems, and you want to be part of the most exciting startup in the secure supply chain space, come and join us!

Stacklok Inc, is proud to be an equal opportunity employer. We are committed to providing equal employment opportunities for all people and place great value in both diversity and inclusiveness. All qualified applicants will be considered for employment without regard to their, or any other person's, perceived or actual race, color, religion, sex, gender, gender identity, gender expression, sexual orientation, national origin, ancestry, citizenship, age, physical or mental disability, medical condition, family care status, or any other basis protected by law.