SentinelOneRemote
Staff Supply Chain & Build-System Security Engineer
United States of America
Full Time
3 weeks ago
$156,000 - $200,000 USD
No H1B
Key skills
JavaScriptPythonGoRustAIAgenticGitHub ActionsnpmGitGitHubCDNCI/CDLeadershipCommunication
About this role
SentinelOne is a company at the intersection of AI and security, pioneering a new operating model for cybersecurity. As a Staff Supply Chain & Build-System Security Engineer, you will lead customer engagements focused on software supply chain risk and validate supply chain findings to ensure actionable insights for clients.
Responsibilities:
- Lead Wayfinder Frontier AI Services customer engagements focused on software supply chain risk end-to-end — scope, deliver, and present findings to customer engineering and security leadership
- Review and triage supply chain findings from our agentic code scanning pipeline, validate true positives, eliminate noise, prioritize by real exploitability in the customer's environment, and ensure every finding that reaches the customer is a decision they can act on
- Investigate malicious-package incidents: triage suspected compromise, reverse engineer obfuscated install scripts (bun_environment.js-class), identify blast radius, and build customer deliverables
- Build dependency-graphs and reachability analyses across npm, PyPI, Maven, NuGet, Go modules, and Rust crates, document and prioritize findings
- Build and review SBOMs and AIBOM artifacts
- Deliver recommendations on hardening of customer CI/CD pipelines; GitHub Actions, Pinning, OIDC, Trusted Publisher migration, Harden-Runner deployment, runner identity scoping
- Cover client-side supply chain risk in customer engagements
Requirements:
- 7+ years in security with a strong concentration in software supply chain, build systems, or product security, plus a credible development background
- Proven track record translating complex findings into technical and executive-level debriefs. Excellent written and verbal communication is essential
- Deep npm internals fluency, publish flow, registry mechanics, Trusted Publisher and OIDC for publishing, plus working depth across PyPI, Maven Central, and NuGet
- Hands-on dependency analysis and reachability-based prioritization across multiple languages
- Working knowledge of SBOMs, build provenance, and artifact signing, including SLSA, in-toto, and Sigstore, and how to enforce them in a real pipeline
- Experience hardening build environments, git actions, runner isolation, and locked-down secrets handling
- Hands-on malicious-package triage and static reverse engineering of obfuscated JavaScript and Python
- Client-side supply-chain investigation experience (Magecart-class, CDN compromise, browser-bundle dependency confusion)
- Experience with AI accelerated development / supply chain scanning methodologies