Staff Site Reliability Engineer, Security
hackajob · United States · 5 days ago
RemoteRemoteEngineeringFull-time
Cloud Security Posture Management
- Audit and harden Stord's GCP footprint (GKE, IAM, Cloud Armor), and codify the baseline in Terraform and policy-as-code where it makes sense.
- Build continuous posture monitoring against that baseline, with a published gap list and remediation schedule.
- Drive the evaluation, integration, and rollout of new security tooling as the program matures. Lead the conversations and recommendations on what we adopt, what we build in-house, and what we sunset.
Vulnerability and Dependency Management
- Establish and automate the vulnerability and dependency remediation workflow across engineering teams: triage cadence, ownership model, severity-based SLAs, and the tracking infrastructure that drives closure.
- Own Dependabot configuration and triage workflows across our GitHub organization, plus secret scanning, push protection, and response workflows for any secrets that surface.
- Build supply-chain controls into CI/CD: provenance, dependency review, lockfile policies, build attestation where it pays off.
- Wire container image scanning and DAST/network scanning programs into the same workflow so vulnerabilities don't slip through the cracks between layers.
Security Solutions Engineering
- Build security capabilities that the broader SRE team can run as part of their normal operating model: Terraform modules, Cloud Armor rules, Istio authorization policies, Cloudflare configuration, scanner pipelines, and custom automation that fills gaps in off-the-shelf tooling.
- Ship documentation, runbooks, and self-service tooling that make your designs portable to the rest of the team, so the program continues to function smoothly through handoffs and rotations.
- Set the engineering bar for security work inside SRE: code review standards, IaC patterns, "secure by default" templates for new services.
- Partner cross-functionally with engineering teams on app security questions, IT on identity and endpoint boundaries, and IT/compliance on occasional SOC 2 evidence pulls, without owning those domains.