[Remote] Staff Site Reliability Engineer, Security

Remote Full-time
Note: The job is a remote job and is open to candidates in USA. Stord is The Consumer Experience Company, focused on enhancing checkout experiences for leading brands. They are seeking a Staff Site Reliability Engineer with a focus on security to build and scale security programs, integrate automation, and establish continuous posture monitoring in their GCP environment.ResponsibilitiesAssess and harden Stord's GCP footprint (GKE, IAM, Cloud Armor), and codify the baseline in Terraform and policy-as-code where it makes senseBuild continuous posture monitoring against that baseline, with a published gap list and remediation scheduleDrive the evaluation, integration, and rollout of new security tooling as the program maturesEstablish and automate the vulnerability and dependency remediation workflow across engineering teams: triage cadence, ownership model, severity-based SLAs, and the tracking infrastructure that drives closureOwn Dependabot configuration and triage workflows across our GitHub organization, plus secret scanning, push protection, and response workflows for any secrets that surfaceBuild supply-chain controls into CI/CD: provenance, dependency review, lockfile policies, build attestation where it pays offWire container image scanning and DAST/network scanning programs into the same workflow so vulnerabilities don't slip through the cracks between layersBuild security capabilities that the broader SRE team can run as part of their normal operating model: Terraform modules, Cloud Armor rules, Istio authorization policies, Cloudflare configuration, scanner pipelines, and custom automation that fills gaps in off-the-shelf toolingShip documentation, runbooks, and self-service tooling that make your designs portable to the rest of the team, so the program continues to function smoothly through handoffs and rotationsSet the engineering bar for security work inside SRE: code review standards, IaC patterns, "secure by default" templates for new servicesPartner cross-functionally with engineering teams on app security questions, IT on identity and endpoint boundaries, and IT/compliance on occasional SOC 2 evidence pulls, without owning those domainsSkillsDeep GCP and GKE security experience. You've hardened production Kubernetes on GCP: workload identity, RBAC, network policies, Pod Security Standards, image provenance. You know where the sharp edges are and which knobs actually matterDependabot and secret scanning at scale. Hands-on with Dependabot configuration, triage workflows, and remediation tracking. Comfortable rolling out GitHub secret scanning organization-wide, including push protection and response workflows for found secretsCI/CD supply chain hardening. You've designed or operated controls against the threat model that produced Shai-Hulud, XZ, and SolarWinds. Familiar with SLSA, provenance, sigstore, and the trade-offs between rigor and developer frictionCloud security posture management in practice. You've stood up CSPM (built-in, commercial, or open source), defined a baseline, and driven remediation, with an eye for separating real signal from dashboard noiseInfrastructure-as-code and automation fluency. Comfortable with Terraform for cloud resources and writing code (Python, Go, shell, or similar) to automate security workflows, integrate tools, and build in-house capabilities when off-the-shelf options fall shortSystems-level technical fluency. You can reason about how the platform pieces fit together (GKE workloads, networking, edge, CI/CD) and debug security-relevant infrastructure problems alongside the broader SRE teamTrack record of designing for operability. You've shipped tools and workflows that other engineers actually adopt and rely on day-to-dayOwnership & Accountability. You own features end-to-end and take pride in what you ship. You follow through from design to production and don't drop thingsStrong Communication. You can explain technical decisions and trade-offs to engineers, PMs, and stakeholders. You ask good questions and listen wellCollaborative Approach. You work well with others, give constructive code review feedback, and actively seek input from teammatesProduction Mindset. You prioritize reliability and user impact. You think about failure modes, monitoring, and operational concerns as part of your design processLearning Agility. You're comfortable with rapidly evolving AI/ML technologies and tools. You stay current without chasing hypeDirected AI-Assisted Development. You know how to use AI coding tools as a productivity multiplier while maintaining quality and your own technical judgmentContainer and image scanning. Production experience integrating image scanners into CI/CD and registry workflows, with thoughtful handling of vulnerability data freshness and triageDAST and network scanning programs. OWASP ZAP, nmap, or commercial equivalents, built into a repeatable internal audit cadence rather than one-off exercisesCloudflare edge security. WAF rules, rate limiting, bot management, and how that fits with origin-side Cloud ArmorDetection engineering on GCP. Log Explorer, BigQuery-backed security analytics, and alert tuning that keeps the on-call experience humaneCompany OverviewStord provides commerce enablement software and logistics services for e-commerce and omnichannel brands. It was founded in 2015, and is headquartered in Atlanta, Georgia, USA, with a workforce of 1001-5000 employees. Its website is https://www.stord.com.Company H1B SponsorshipStord has a track record of offering H1B sponsorships, with 2 in 2026, 5 in 2025, 4 in 2024, 2 in 2023, 7 in 2022, 2 in 2021, 2 in 2020. Please note that this does not guarantee sponsorship for this specific role.

Apply Now →
← Back