Security Engineer (AppSec)

We are seeking a passionate and technically sophisticated security engineer to lead, architect, and integrate security into every aspect of our platform. You like making things but also breaking things and preventing others from doing the same.

About Cloudsmith: Cloudsmith is transforming how organizations handle software artifacts and secure their supply chains. As a fully managed multi-tenant Software as a Service (SaaS) built on AWS, our mission is to enable organizations to tackle scale and complexity through best-in-class artifact management and to secure software by default. Our vision is to become the software supply chain itself, powering the future of software delivery.

The Role: As a Security Engineer (AppSec) reporting to the Head of Application Security, you will be a key member of our growing security function, focusing on our product and platform security. This role combines hands-on security engineering with technical leadership, requiring someone to implement security controls and guide other engineers in secure development practices.

Key Responsibilities:

• Technical Security Leadership: Enhance and expand security controls across our cloud-native infrastructure. Lead security architecture reviews and threat modeling sessions. Develop, evolve, and implement secure coding standards and practices. Extend our security automation tooling and strengthen CI/CD pipeline security. Build upon our existing security testing frameworks and procedures.
• Application Security Implementation: Perform security code reviews and penetration testing of our codebases. Implement security controls for our distributed systems (AWS-based). Design and implement secure container runtime environments. Build secure API endpoints and review API security architecture. Implement supply chain security controls and verification systems.
• Security Engineering & Architecture: Enhance our security monitoring solutions using DataDog, AWS Security Hub, etc. Strengthen our secure deployment pipelines using CircleCI and GitHub Actions. Drive implementation of our secure artifact storage and processing systems. Design and implement additional customer and environment isolation controls. Develop security automation tools and frameworks and apply them. Partner with the Head of AppSec + CTO on security architecture decisions.
• Security Culture & Education: Provide security guidance and mentorship to engineering teams. Develop and deliver security training materials. Create security documentation and guidelines. Participate in security incident response. Contribute to security policies and standards.
• Team Collaboration: Work closely with the Head of AppSec + CTO to implement security strategies. Collaborate with engineering teams to embed security practices. Support security audit and compliance initiatives. Participate in security incident response as a technical lead (incl. red/blue team). Help evaluate and implement new security tools and technologies. Automate everything, write code (if you want to!), and make proofs ('sploits).

Required Experience, Qualities & Skills:

• Technical Expertise: 3+ years of security engineering experience or equivalent. Deep expertise in application security and secure software development. Experience with implementing SAST, DAST, and RASP (Runtime Security). Strong programming skills in Python, with familiarity in TypeScript/Node.js or similar. Extensive experience with cloud security (AWS-based, preferably), web application security, API security (REST or GraphQL, etc.), Infrastructure as Code security, CI/CD pipeline security, container security (Docker, OCI), and database security.
• Security Engineering Skills: Experience building security tools and automation. Strong background in threat modeling and risk assessment. Expertise in penetration testing and vulnerability assessment. Knowledge of cryptography and secure communication protocols. Experience with security monitoring and incident response.
• Domain Knowledge: Understanding of software supply chain security. Experience with artifact management systems. Knowledge of modern development practices and tools. Familiarity with compliance frameworks (ISO 27001, SOC2).
• Bonus Points: Experience with data enclave implementations, secure runtime environments (Firecracker, gVisor), software composition analysis, contributions to open-source security tools, security-focused certifications (OSCP, CSSLP, etc.), and experience securing package management systems.

Cultural Values We’re Looking For:

• Technical Mastery: Demonstrate deep security expertise and engineering craftsmanship.
• Security Innovation: Drive automated, cloud-native security solutions to excellence.
• Knowledge Champion: Share security expertise openly and mentor engineering teams.
• Pragmatic Builder: Deliver practical security solutions with customer needs in mind.
• Continuous Growth: Actively expand security knowledge and embrace sustainable practices.

Impact & Opportunity: This role offers the chance to enhance security in a platform already trusted by organizations worldwide for software supply chain security. You will join an ISO 27001-certified organization and work with cutting-edge technologies, implementing security controls that protect critical infrastructure.

Benefits, Location & Work Environment: You must be based in Ireland or the United Kingdom and have the right to work independently without requiring sponsorship. A remote-first position based in Ireland or the United Kingdom. A competitive compensation package, including equity, comprehensive health, dental, and vision insurance, generous annual leave, and flexible working policies to suit your lifestyle. Including a professional development budget for conferences and training.

Health and Wellness: Regardless of your location, we deeply care about our staff's and their families' health and wellness; a sustainable pace is essential. In addition to generous annual leave (PTO), we offer parental leave and health benefits to cover you and your dependents up to 100%. We also offer flexible, family-friendly working policies.

Personal Growth: You will have an enormous opportunity to learn new skills alongside your colleagues, and your continued professional development is essential to us because it's important to you. We will support you with budgets for equipment, training, books, conferences, travel, and certifications.

Hybrid / Remote First: Cloudsmith is headquartered in Belfast, Northern Ireland, and we use our H.Q. regularly for activities like team planning, meets and greets, and sometimes other group activities (like games!). We also hold all-hands offsites in Belfast (or otherwise) thrice yearly, with guest speakers and team activities. Most Cloudsmithers work remotely, close and far, so we rely on our online collaboration tools; Slack is how we work.

About Equal Opportunity: Cloudsmith is an equal-opportunity employer proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnic groups. We do not discriminate on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind within our workforce.

The Final Word: We are seeking someone with deep technical security expertise and a passion for building secure systems. You will be working at the intersection of cloud infrastructure, artifact management, and supply chain security, helping to develop a platform that organizations trust with their most critical assets. If you are excited about security engineering and want to have a lasting impact on the software industry, we want to hear from you.