Staff Security Engineer (AppSec)

TL;DR:We're seeking a passionate and technically sophisticated security engineer to lead, architect, and integrate security into every aspect of our platform. You like making things, but also breaking things and preventing others from doing the same.

About Cloudsmith

Cloudsmith is transforming how organizations handle software artifacts and secure their supply chains. As a fully managed multi-tenant Software as a Service (SaaS) built on AWS, our mission is to enable organizations to tackle scale and complexity through best-in-class artifact management and to secure software by default. Our vision is to become the software supply chain itself, powering the future of software delivery.

We are the world's most potent artifact management platform, built by developers for developers. Our platform supports over 30 formats spanning languages, containers, and operating systems, with enterprise-grade features, including vulnerability and security scanning, world-class policy management and enforcement, and web-scale to handle the Fortune 500. Organizations integrate Cloudsmith as critical infrastructure into their development, deployment, and distribution pipelines, trusting us to protect and accelerate, no matter the scale.

Backed by top-tier investors and on a trajectory toward IPO, we're building mission-critical infrastructure that powers software delivery for organizations worldwide. We operate at the cutting edge of cloud-native technology, tackling complex distributed systems challenges that directly impact millions of developers. Now is an exciting time to join us as we revolutionize how organizations deliver and secure software and help write the next chapter of our rocket-ship growth story.

The Role

As a Staff Security Engineer (AppSec) reporting to the Director of Information Security, you'll be a key member of our growing security function, focusing on our product and platform security. This role combines hands-on security engineering with technical leadership, requiring someone to implement security controls and guide other engineers in secure development practices. You'll be the technical cornerstone of our product security initiatives, working to ensure our platform remains secure by design as we scale.

Key Responsibilities

Technical Security Leadership

• Enhance and expand security controls across our cloud-native infrastructure.
• Lead security architecture reviews and threat modeling sessions.
• Develop, evolve, and implement secure coding standards and practices.
• Extend our security automation tooling and strengthen CI/CD pipeline security.
• Build upon our existing security testing frameworks and procedures.

Application Security Implementation

• Perform security code reviews and penetration testing of our codebases.
• Implement security controls for our distributed systems (AWS-based).
• Design and implement secure container runtime environments.
• Build secure API endpoints and review API security architecture.
• Implement supply chain security controls and verification systems.

Security Engineering & Architecture

• Enhance our security monitoring solutions using DataDog, AWS Security Hub, etc.
• Strengthen our secure deployment pipelines using CircleCI and GitHub Actions.
• Drive implementation of our secure artifact storage and processing systems.
• Design and implement additional customer and environment isolation controls.
• Develop security automation tools and frameworks and apply them.
• Partner with the Director of InfoSec + CTO on security architecture decisions.

Security Culture & Education

• Provide security guidance and mentorship to engineering teams.
• Develop and deliver security training materials.
• Create security documentation and guidelines.
• Participate in security incident response.
• Contribute to security policies and standards.

Team Collaboration

• Work closely with the Director of InfoSec + CTO to implement security strategies.
• Collaborate with engineering teams to embed security practices.
• Support security audit and compliance initiatives.
• Participate in security incident response as a technical lead (incl. red/blue team).
• Help evaluate and implement new security tools and technologies.
• Automate everything, write code (if you want to!), and make proofs ('sploits).

Required Experience, Qualities & Skills

Technical Expertise

• 7+ years of security engineering experience or equivalent.
• Deep expertise in application security and secure software development.
• Experience with implementing SAST, DAST, and RASP (Runtime Security).
• Strong programming skills in Python, with familiarity in TypeScript/Node.js or similar.
• Extensive experience with:
• Cloud security (AWS-based, preferably).
• Web application security.
• API security (REST or GraphQL, etc.).
• Infrastructure as Code security.
• CI/CD pipeline security.
• Container security (Docker, OCI).
• Database security.

Security Engineering Skills

• Experience building security tools and automation.
• Strong background in threat modeling and risk assessment.
• Expertise in penetration testing and vulnerability assessment.
• Knowledge of cryptography and secure communication protocols.
• Experience with security monitoring and incident response.

Domain Knowledge

• Understanding of software supply chain security.
• Experience with artifact management systems.
• Knowledge of modern development practices and tools.
• Familiarity with compliance frameworks (ISO 27001, SOC2).

Bonus Points

• Experience with:
• Data enclave implementations.
• Secure runtime environments (Firecracker, gVisor).
• Software Composition Analysis.
• Contributions to open-source security tools.
• Security-focused certifications (OSCP, CSSLP, etc.).
• Experience securing package management systems.

Cultural Values We're Looking For

• Technical Mastery: Demonstrate deep security expertise and engineering craftsmanship.
• Security Innovation: Drive automated, cloud-native security solutions to excellence.
• Knowledge Champion: Share security expertise openly and mentor engineering teams.
• Pragmatic Builder: Deliver practical security solutions with customer needs in mind.
• Continuous Growth: Actively expand security knowledge and embrace sustainable practices.

Impact & Opportunity

This role offers the chance to enhance security in a platform already trusted by organizations worldwide for software supply chain security. You'll join an ISO 27001-certified organization and work with cutting-edge technologies, implementing security controls that protect critical infrastructure. From startups to Fortune 500 customers, your work will directly impact how organizations secure their software supply chains while helping us maintain our position as the most trusted name in artifact management.

Benefits, Location & Work Environment

Note: You must be based in Ireland or the United Kingdom and have the right to work independently without requiring sponsorship.

Headlines

• A remote-first position based in Ireland or the United Kingdom.
• A competitive compensation package, including equity.
• Comprehensive health, dental, and vision insurance.
• Generous annual leave and flexible working policies to suit your lifestyle.
• A professional development budget for conferences and training.
• In a dynamic, innovative, trust-centric, and supportive work environment.
• With the opportunity to shape a fast-growing Series A startup (and beyond).
• Regular (monthly-ish) travel may be required for team meetings.
• Regular (quarterly-ish) travel may also be required for events and customers.

Health and Wellness

Regardless of your location, we deeply care about our staff's and their families' health and wellness; a sustainable pace is essential. In addition to generous annual leave (PTO), we offer parental leave and health benefits to cover you and your dependents up to 100%. We also offer flexible, family-friendly working policies.

Personal Growth

You will have an enormous opportunity to learn new skills alongside your colleagues, and your continued professional development is essential to us because it's important to you. We will support you with budgets for equipment, training, books, conferences, travel, and certifications. The more powerful you become, the better for all of us.

Hybrid Work

Cloudsmith is headquartered in Belfast, Northern Ireland, and we use our H.Q. regularly for activities like team planning, meets and greets, and sometimes other group activities (like games!). We also hold all-hands offsites in Belfast (or otherwise) thrice yearly, with guest speakers and team activities. Most Cloudsmithers work remotely, close and far, so we rely on our online collaboration tools; Slack is how we work.

About Equal Opportunity

Cloudsmith is an equal-opportunity employer proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnic groups. We do not discriminate on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind within our workforce.

The Final Word

We're seeking someone with deep technical security expertise and a passion for building secure systems. You'll be working at the intersection of cloud infrastructure, artifact management, and supply chain security, helping to develop a platform that organizations trust with their most critical assets. If you're excited about security engineering and want to have a lasting impact on the software industry, we want to hear from you.