Jobs · Engineering

Staff Site Reliability Engineer, Security

hackajob · United States · 5 days ago
RemoteRemoteEngineeringFull-time

Cloud Security Posture Management

  • Audit and harden Stord's GCP footprint (GKE, IAM, Cloud Armor), and codify the baseline in Terraform and policy-as-code where it makes sense.
  • Build continuous posture monitoring against that baseline, with a published gap list and remediation schedule.
  • Drive the evaluation, integration, and rollout of new security tooling as the program matures. Lead the conversations and recommendations on what we adopt, what we build in-house, and what we sunset.

Vulnerability and Dependency Management

  • Establish and automate the vulnerability and dependency remediation workflow across engineering teams: triage cadence, ownership model, severity-based SLAs, and the tracking infrastructure that drives closure.
  • Own Dependabot configuration and triage workflows across our GitHub organization, plus secret scanning, push protection, and response workflows for any secrets that surface.
  • Build supply-chain controls into CI/CD: provenance, dependency review, lockfile policies, build attestation where it pays off.
  • Wire container image scanning and DAST/network scanning programs into the same workflow so vulnerabilities don't slip through the cracks between layers.

Security Solutions Engineering

  • Build security capabilities that the broader SRE team can run as part of their normal operating model: Terraform modules, Cloud Armor rules, Istio authorization policies, Cloudflare configuration, scanner pipelines, and custom automation that fills gaps in off-the-shelf tooling.
  • Ship documentation, runbooks, and self-service tooling that make your designs portable to the rest of the team, so the program continues to function smoothly through handoffs and rotations.
  • Set the engineering bar for security work inside SRE: code review standards, IaC patterns, "secure by default" templates for new services.
  • Partner cross-functionally with engineering teams on app security questions, IT on identity and endpoint boundaries, and IT/compliance on occasional SOC 2 evidence pulls, without owning those domains.

Similar jobs