ChainguardRemote
Staff Product Security Engineer
United States of America
Full Time
2 weeks ago
H1B Sponsor Likely
Key skills
PythonGoAWSGCPKubernetesGitHub ActionsIAMCloud BuildGitHubCI/CDOWASPPenetration TestingCloud Security
About this role
Chainguard is the trusted source for open source, delivering hardened, secure, and production-ready builds of open source software. The Staff Product Security Engineer will design and maintain secure CI/CD pipelines, lead security architecture reviews, and define security standards to minimize risk across Chainguard's product stack.
Responsibilities:
- Design, build, and maintain secure CI/CD pipelines with security gates that catch issues before they reach production
- Systematically, consistently and automatically capture the risk exposure of Chainguards products
- Implement and enforce software supply chain security controls: signed artifacts, SBOMs, provenance attestation (SLSA, Sigstore / Cosign)
- Proactively identify emerging customer security needs, and build solutions to meet these
- Lead security architecture reviews and threat models for Kubernetes-based workloads running on GCP and AWS
- Harden container images, Kubernetes cluster configurations, and cloud IAM postures — minimising attack surface across our product stack
- Define and drive adoption of baseline security standards: pod security standards, network policies, workload identity, secrets management
- Evaluate and operationalise CNAPP / CSPM tooling to maintain continuous visibility into cloud-native risk
Requirements:
- 7+ years in software engineering, security engineering, or a combined role with meaningful hands-on security responsibility throughout
- Strong proficiency in Go or Python, with the ability to write, review, and debug production-quality code
- Deep, hands-on experience with Kubernetes in production (cluster hardening, RBAC, network policies, admission controllers)
- Practical expertise with GCP and/or AWS: IAM, workload identity, secrets management, security services (e.g., GCP Security Command Center, AWS Security Hub)
- Proven track record designing and securing CI/CD pipelines (GitHub Actions, Cloud Build, Tekton, or similar)
- Fluency with container security: image scanning, distroless/minimal base images, runtime security
- Experience with software supply chain security tooling and frameworks (Sigstore, SLSA, SBOM generation)
- Solid understanding of OWASP, NIST, and cloud security frameworks and how to apply them pragmatically
- Familiarity with Chainguard Images or other minimal/hardened container base image ecosystems
- Experience with policy-as-code tools (OPA, Kyverno, Conftest)
- Contributions to open source security projects
- Background in security research or offensive security (bug bounty, CTF, penetration testing)