SentinelOneRemote
Staff Supply Chain & Build-System Security Engineer
United States of America
Full Time
5 hours ago
$156,000 - $200,000 USD
No H1B
Key skills
Software supply chain securityBuild systems securityProduct securityDevelopment backgroundnpm internalsPyPIMaven CentralNuGetDependency analysisReachability analysisSBOMsBuild provenanceArtifact signingSLSAin-totoSigstoreCI/CD pipeline hardeningGitHub ActionsOIDCTrusted PublisherRunner isolationSecrets handlingMalicious-package triageStatic reverse engineeringJavaScriptPythonClient-side supply chain investigationMagecartCDN compromiseBrowser-bundle dependency confusionAI accelerated developmentSupply chain scanning methodologiesGoRustAIAgenticnpmGitGitHubCDNCI/CDLeadershipCommunication
About this role
SentinelOne is a pioneering company at the intersection of AI and security, focused on providing advanced cybersecurity solutions. The Staff Supply Chain & Build-System Security Engineer will engage with customers to address software supply chain risks, validate findings from code scanning, and enhance CI/CD pipeline security.
Responsibilities:
- Lead Wayfinder Frontier AI Services customer engagements focused on software supply chain risk end-to-end — scope, deliver, and present findings to customer engineering and security leadership
- Review and triage supply chain findings from our agentic code scanning pipeline, validate true positives, eliminate noise, prioritize by real exploitability in the customer's environment, and ensure every finding that reaches the customer is a decision they can act on
- Investigate malicious-package incidents: triage suspected compromise, reverse engineer obfuscated install scripts (bun_environment.js-class), identify blast radius, and build customer deliverables
- Build dependency-graphs and reachability analyses across npm, PyPI, Maven, NuGet, Go modules, and Rust crates, document and prioritize findings
- Build and review SBOMs and AIBOM artifacts
- Deliver recommendations on hardening of customer CI/CD pipelines; GitHub Actions, Pinning, OIDC, Trusted Publisher migration, Harden-Runner deployment, runner identity scoping
- Cover client-side supply chain risk in customer engagements
Requirements:
- 7+ years in security with a strong concentration in software supply chain, build systems, or product security, plus a credible development background
- Proven track record translating complex findings into technical and executive-level debriefs. Excellent written and verbal communication is essential
- Deep npm internals fluency, publish flow, registry mechanics, Trusted Publisher and OIDC for publishing, plus working depth across PyPI, Maven Central, and NuGet
- Hands-on dependency analysis and reachability-based prioritization across multiple languages
- Working knowledge of SBOMs, build provenance, and artifact signing, including SLSA, in-toto, and Sigstore, and how to enforce them in a real pipeline
- Experience hardening build environments, git actions, runner isolation, and locked-down secrets handling
- Hands-on malicious-package triage and static reverse engineering of obfuscated JavaScript and Python
- Client-side supply-chain investigation experience (Magecart-class, CDN compromise, browser-bundle dependency confusion)
- Experience with AI accelerated development / supply chain scanning methodologies