Senior Application Security Engineer

As a Senior Application Security Engineer, you'll report to the Head of Security and embed directly into one of our engineering tribes.

You'll work alongside Engineering Managers, Product Managers, Principal Engineers, and product engineers as part of the tribe's day-to-day rhythm. Your job is to advocate for security from within the core engineering function, not from the sidelines.

That means joining design discussions early, reviewing code and architecture, identifying risks early, and helping the tribe land secure, pragmatic fixes. We are building a model where security engineers are part-IC, part-security specialist.

You should be able to contribute directly, but your greater leverage lies in raising the security judgment of the engineers around you, so good security becomes part of how we work., * Embed inside an engineering tribe and participate in planning, design review, code review, incident learning, and delivery conversations.

• Collaborate across security, platform, and engineering guilds so security work routes to the right team, at the right time, with the right priority.
• Threat-model product and platform changes across APIs, workers, data stores, queues, object storage, CDNs, identity, policy, and tenant boundaries.
• Review production code and architecture for authentication, authorization, data access, secrets handling, artifact integrity, signing, auditability, and abuse cases.
• Build and improve security tooling, paved roads, checks, libraries, and automation that make securing Cloudsmith easier for engineers.
• Tune and operate security controls across SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning, dependency analysis, and runtime signals.
• Investigate, triage, and remediate vulnerabilities identified through internal testing, third-party testing, responsible disclosure, customer reports, and security tooling.
• Support security incidents, red/blue exercises, detection work, and post-incident actions, improvements, and other investigatory/preventative follow-ups.
• Support technical control work for SOC 2, ISO 27001, EU CRA, and related frameworks, working with GRC where security engineering input is needed.
• Raise the tribe's security capability by helping engineers understand risks, threat-model their own work, and recognize what good secure design looks like., Cloudsmith is not just another SaaS product. We are the artifact control plane for our customers' software supply chains. You should understand, or be excited to go deep on:
• Ecosystems such as npm, PyPI, Docker/OCI, Maven, Helm, and Hugging Face.
• Software supply chain threats such as dependency confusion, typosquatting, malicious packages, maintainer compromise, metadata poisoning, and build-system injection.
• Artifact and registry concepts: immutable blobs, mutable metadata, package identity, checksums, upstream proxying, private repos, access control, caching, and promotion.
• Provenance and trust mechanisms such as SBOMs, signing, attestations, SLSA, Sigstore, in-toto, trusted publishing, and zero-trust software delivery.

Do you have experience in TypeScript?, * Around 5+ years of hands-on application security experience, or equivalent experience across software engineering and security, with security as your recent focus.

• Deep software engineering craft, with a focus on Python. Familiarity with TypeScript, Go, or Rust is an advantage. Effective use of ownership-driven AI is useful.
• Deep web and API security knowledge: OWASP Top 10, business logic flaws, authn/authz design, token handling, REST, GraphQL, and multi-tenant access control.
• Practical threat modeling and vulnerability research experience against real applications, APIs, cloud-native systems, and distributed services.
• Strong cloud-native security experience, especially across AWS, IAM, KMS, S3, containers, Terraform, CI/CD, secrets handling, logging, and multi-tenant isolation.
• Sound judgment on vulnerability priority. You understand CVSS, but you care more about exploitability, reachability, tenant impact, and production reality.
• Ability to reason through production systems: APIs, queues, caches, databases, workers, CDNs, object storage, edge delivery, telemetry, and failure modes.
• Clear communication in a remote-first environment. Your threat models, risk write-ups, incident notes, and feedback should be useful to engineers and credible to leadership., * Experience securing artifact management, package registry, container registry, CI/CD, DevOps, developer tooling, or supply chain security platforms.
• Experience with secure runtime environments, sandboxing, workload isolation, policy engines, OPA/Rego, eBPF, or similar control points.
• Contributions to open-source security tooling or supply chain security projects.
• Familiarity with Datadog, AWS Security Hub, Okta, GitHub Advanced Security, Snyk, Semgrep, Trivy, Wiz, or similar tooling.
• Useful, but not required: certs such as OSCP, CSSLP, GPEN, GWAPT, GCSA, or CISSP., * Builder mindset: You fix code and automate the boring parts to accelerate others.
• Practical paranoia: You can think like an attacker without losing sight of practicality.
• High standards, low ego: You raise the bar without devolving into arguments.
• Clear thinking: You can turn messy problems into decisions and trade-offs.
• Ownership: You care deeply about the security of the product, platform, and company.

• A competitive compensation package, including equity.
• With comprehensive health, dental, and vision insurance.
• Plus, generous annual leave and flexible working policies to suit your lifestyle.
• Including a professional development budget for conferences and training.
• In a dynamic, innovative, trust-centric, and supportive work environment.
• Belfast HQ, used for working sessions, planning, all-hands, and team events.
• Opportunity to help shape a fast-growing company building critical infrastructure.
• Regular travel may be required for team meetings, planning, customers, and events.

Health and Wellness

We care about the health and wellness of our people and their families. Sustainable pace matters. We offer generous annual leave, health and wellbeing benefits, and flexible family-friendly working policies.

About Cloudsmith Cloudsmith is building the operating system for the modern software supply chain. We run a global, fully managed, multi-tenant SaaS platform that helps organizations, from startups to the Fortune 500, secure, govern, and distribute software artifacts at scale. Worldwide, our customers use Cloudsmith as a critical infrastructure control plane for CI/CD, developer workflows, security controls, compliance, and software distribution, supporting 30+ formats and ecosystems across languages, containers, and operating systems. We recently raised our Series C to accelerate Cloudsmith 2.0: deeper artifact intelligence, stronger policy and provenance, faster package-aware delivery, and infrastructure built for engineering teams, as well as the modern AI-driven software factory. By developers, for developers: we care about craft, architecture, and enterprise scale., This role helps shape application security for a platform that secures the software supply chain for organizations from startups to the Fortune 500. AI is increasing the rate at which software is created, changed, assembled, and shipped. Enterprises need stronger controls, better provenance, clearer trust decisions, and a faster path to delivery. Cloudsmith is building the critical infrastructure to record, govern, and deliver software artifacts at scale. You'll help make that infrastructure safer from the inside. As the function grows, you'll have the opportunity to shape our application security roadmap, define how security engineers embed within tribes, influence secure engineering patterns, mentor future security hires, and represent Cloudsmith externally in the security community., Cloudsmith is headquartered in Belfast, Northern Ireland, with fully equipped office space for working sessions, planning, meetups, and team activities. We rely on Slack, Google Docs, Linear, and other tools to collaborate across locations.