Security

• NI/GB/ROI

Senior Application Security Engineer

TL;DR: We’re looking for a deeply technical Application Security Engineer to embed inside engineering and help secure Cloudsmith 2.0, the operating system for the modern software supply chain. The ideal person is a software engineer at heart who chose to specialize in security. You should be comfortable moving between code, architecture, and security design.

About Cloudsmith

We run a global, fully managed, multi-tenant SaaS platform that helps organizations, from startups to the Fortune 500, secure, govern, and distribute software artifacts at scale.

Worldwide, our customers use Cloudsmith as a critical infrastructure control plane for CI/CD, developer workflows, security controls, compliance, and software distribution, supporting 30+ formats and ecosystems across languages, containers, and operating systems.

We recently raised our Series C to accelerate Cloudsmith 2.0: deeper artifact intelligence, stronger policy and provenance, faster package-aware delivery, and infrastructure built for engineering teams, as well as the modern AI-driven software factory.

By developers, for developers: we care about craft, architecture, and enterprise scale.

The Role

You’ll work alongside Engineering Managers, Product Managers, Principal Engineers, and product engineers as part of the tribe’s day-to-day rhythm. Your job is to advocate for security from within the core engineering function, not from the sidelines.

That means joining design discussions early, reviewing code and architecture, identifying risks early, and helping the tribe land secure, pragmatic fixes. We are building a model where security engineers are part-IC, part-security specialist.

You should be able to contribute directly, but your greater leverage lies in raising the security judgment of the engineers around you, so good security becomes part of how we work.

Key Responsibilities

• Embed inside an engineering tribe and participate in planning, design review, code review, incident learning, and delivery conversations.

• Collaborate across security, platform, and engineering guilds so security work routes to the right team, at the right time, with the right priority.

• Threat-model product and platform changes across APIs, workers, data stores, queues, object storage, CDNs, identity, policy, and tenant boundaries.

• Review production code and architecture for authentication, authorization, data access, secrets handling, artifact integrity, signing, auditability, and abuse cases.

• Build and improve security tooling, paved roads, checks, libraries, and automation that make securing Cloudsmith easier for engineers.

• Tune and operate security controls across SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, dependency analysis, and runtime signals.

• Investigate, triage, and remediate vulnerabilities identified through internal testing, third-party testing, responsible disclosure, customer reports, and security tooling.

• Support security incidents, red/blue exercises, detection work, and post-incident actions, improvements, and other investigatory/preventative follow-ups.

• Support technical control work for SOC 2, ISO 27001, EU CRA, and related frameworks, working with GRC where security engineering input is needed.

• Raise the tribe's security capability by helping engineers understand risks, threat-model their own work, and recognize what good secure design looks like.

Required Experience, Qualities & Skills

• Around 5+ years of hands-on application security experience, or equivalent experience across software engineering and security, with security as your recent focus.

• Deep software engineering craft, with a focus on Python. Familiarity with TypeScript, Go, or Rust is an advantage. Effective use of ownership-driven AI is useful.

• Deep web and API security knowledge: OWASP Top 10, business logic flaws, authn/authz design, token handling, REST, GraphQL, and multi-tenant access control.

• Practical threat modeling and vulnerability research experience against real applications, APIs, cloud-native systems, and distributed services.

• Strong cloud-native security experience, especially across AWS, IAM, KMS, S3, containers, Terraform, CI/CD, secrets handling, logging, and multi-tenant isolation.

• Sound judgment on vulnerability priority. You understand CVSS, but you care more about exploitability, reachability, tenant impact, and production reality.

• Ability to reason through production systems: APIs, queues, caches, databases, workers, CDNs, object storage, edge delivery, telemetry, and failure modes.

• Clear communication in a remote-first environment. Your threat models, risk write-ups, incident notes, and feedback should be useful to engineers and credible to leadership.

Software Supply Chain & Security

• Ecosystems such as npm, PyPI, Docker/OCI, Maven, Helm, and Hugging Face.

• Software supply chain threats such as dependency confusion, typosquatting, malicious packages, maintainer compromise, metadata poisoning, and build-system injection.

• Artifact and registry concepts: immutable blobs, mutable metadata, package identity, checksums, upstream proxying, private repos, access control, caching, and promotion.

• Provenance and trust mechanisms such as SBOMs, signing, attestations, SLSA, Sigstore, in-toto, trusted publishing, and zero-trust software delivery.

Bonus Points

• Experience securing artifact management, package registry, container registry, CI/CD, DevOps, developer tooling, or supply chain security platforms.

• Experience with secure runtime environments, sandboxing, workload isolation, policy engines, OPA/Rego, eBPF, or similar control points.

• Contributions to open-source security tooling or supply chain security projects.

• Familiarity with Datadog, AWS Security Hub, Okta, GitHub Advanced Security, Snyk, Semgrep, Trivy, Wiz, or similar tooling.

• Useful, but not required: certs such as OSCP, CSSLP, GPEN, GWAPT, GCSA, or CISSP.

Cultural Values We're Looking For

• Engineering-first security: You operate as an engineer first for security problems.

• Builder mindset: You fix code and automate the boring parts to accelerate others.

• Practical paranoia: You can think like an attacker without losing sight of practicality.

• High standards, low ego: You raise the bar without devolving into arguments.

• Clear thinking: You can turn messy problems into decisions and trade-offs.

• Ownership: You care deeply about the security of the product, platform, and company.

Impact & Growth

AI is increasing the rate at which software is created, changed, assembled, and shipped. Enterprises need stronger controls, better provenance, clearer trust decisions, and a faster path to delivery.

Cloudsmith is building the critical infrastructure to record, govern, and deliver software artifacts at scale. You’ll help make that infrastructure safer from the inside.