Staff Security Engineer, DevSecOps (Corporate Security)

Role Overview

The Security Operations team's mission is to protect the business by securing the systems, tools, and processes that power how we work. Our goal is to keep the organization productive, resilient, and safe through proactive controls, thoughtful risk management, and continuous improvement.

As a Staff Security Engineer, you will found and lead the DevSecOps function within the Corporate Security team. You will have the latitude to shape how developer security works, setting the technical vision, driving the standards and controls that engineering teams rely on, and building a program that scales. This role works in close partnership with Infrastructure Security and operates at a scope that touches every team that ships code.

Responsibilities

• Own the DevSecOps function: Build a developer security program, setting the technical direction and defining the operating model.
• Harden GitHub and CI/CD security: Lead the program to secure the GitHub Enterprise environment and CI/CD pipelines, including governance frameworks, repository standards, Actions security, and audit visibility.
• Define AI-assisted development security: Own the security model for AI coding tools and agentic workflows, building guardrails and governance standards to ensure risk and compliance requirements are met.
• Harden the software supply chain: Drive improvements to dependency hygiene, secret management practices, token governance, and secure package consumption.
• Set engineering standards: Build secure templates, baseline configurations, and developer-friendly guardrails that make secure defaults the easiest path for engineering teams.
• Partner with Platform Engineering: Ensure developer tooling and platform infrastructure evolve with security embedded in the design.
• Mentorship and Leadership: Mentor engineers across Corporate Security and the broader Security Operations organization, distributing ownership to scale impact.
• Support Operations: Participate in the Corporate Security on-call rotation and contribute to investigations involving developer tooling or credential exposure.

Requirements

• Minimum of 8 years of combined experience in security engineering, DevSecOps, or platform security, with a deep focus on securing developer environments, CI/CD, or software supply chains.
• Deep, hands-on expertise in GitHub Enterprise security and governance, including branch protections, secret scanning, access controls, and Actions security at scale.
• Proven ability to design and implement security controls that integrate into CI/CD pipelines without degrading developer velocity.
• Solid understanding of software supply chain security, including dependency hygiene (npm, pip, etc.), token management, and SBOM generation.
• Practical experience solving security challenges introduced by AI-assisted development, including defining policy and technical controls for tools like Copilot, Cursor, or Claude Code.
• Experience making architectural decisions that span multiple teams and designing scalable, reusable security controls.
• Strong scripting and automation skills in Python, Bash, Terraform, or similar tools.
• Ability to build alignment with Platform Engineering and influence engineering-wide standards without direct authority.
• A track record of mentorship and documentation that elevates the technical capabilities of the team.
• Familiarity with participating in on-call rotations and contributing to security investigations.

Benefits

• Competitive health and dental benefits.
• Maternity and parental leave top-up programs.
• Generous paid time off (PTO) policy.
• Equity grant (RSU program) for most employees.
• Retirement matching program.
• Paid volunteer days.
• Peer-to-peer recognition programs.
• Free premium account for company products.

Additional Information

While this is a remote-first position, travel for in-person engagement is required for all roles. This may include annual department-wide offsites, team meetings, and industry events. Successful applicants will be required to complete a background check as permitted by local law.