Security engineer

Updated: October 26, 2022

Introduction to the role of security engineer

At Skylight, a security engineer is both a researcher and a technical implementer. As a researcher, this person stays up to date with the cutting edge of security and helps Skylight implement new processes, tools, and remediations. As an implementer, this person’s familiar with modern software development and works in a cross-functional team to inform and guide security best practices at all stages of the software development life cycle.

Below you’ll find the full list of skills for becoming a security engineer at Skylight and a description of the skills required for each level. These descriptions offer insight into the scope of work someone at each level should be capable of doing on a consistent basis. We use these role descriptions both as a guide during the hiring process and as a springboard for discussing career progression at Skylight.

Required skills

Risk detection

Part of a good security posture is remaining ever vigilant. Security engineers constantly review all aspects of the application, deployed or not, for risks like security vulnerabilities and enumerating them — you can’t mitigate what you can’t see.

Risk mitigation and prevention

Any engineer working with security knows that work is often spent in a reactive state. This is stressful but often unnecessary. Being proactive with proper risk mitigation can transform a problem application into a model citizen.

Research

New threats and attack vectors are discovered daily, but often it’s only the savvily-marketed ones that make the news. Part of a good security posture is keeping an ear to the ground.

Compliance

In any large business, and in the federal space in particular, security requirements are complex. They’ve spawned a series of regulatory frameworks, such as HIPAA, with in-depth technical and process requirements. Complying with these frameworks is essential to our success.

Security advocacy

Development needs security built in from the start, whether for an application or its underlying infrastructure. Following best practices often and early will help teams get there.

Security engineer career pathway

Associate security engineer

1. 
   Associate
2. 
   I not completed
3. 
   II not completed
4. 
   Senior not completed
5. 
   Staff not completed
6. 
   Principal not completed

As a trainee in an entry-level role, you may have heard of many of these concepts and likely at least dabbled in them yourself. Compared to the more experienced engineers on the team, you’ll need guidance and training to develop these skills and produce quality work.

Skills needed for this level

Risk detection

You know reviewing your security posture is important. You’re actively monitoring your project and, with guidance, can point out potential risks.

Risk mitigation and prevention

You have a basic understanding of common risks and can implement mitigations for them with guidance.

Research

You’re aware of common sources of vulnerability information, such as NIST and MITRE. You know if anything big has happened this week.

Compliance

You understand that projects are often bound by outside requirements and that sometimes features must be implemented in a certain way for the sake of compliance.

Security advocacy

You understand that the ability to deal with security issues is often distributed unevenly among teams and projects, but you still need extensive guidance on what to do about it.

Security engineer I

1. 
   Associate completed
2. 
   I
3. 
   II not completed
4. 
   Senior not completed
5. 
   Staff not completed
6. 
   Principal not completed

As a junior security engineer, you’ll be expected to own and complete routine tasks with minimal oversight. For more advanced tasks, you’ll need additional training and guidance from a more experienced engineer.

Skills needed for this level

Risk detection

You raise basic security concerns to the team during the development cycle and note areas for improvement. With guidance, you’re comfortable translating vulnerabilities and security review findings into actionable tasks. You summarize and communicate security review findings.

Risk mitigation and prevention

You mitigate most basic risks with minimal guidance. You have a general understanding of how to prevent these risks in the first place.

Research

You’re familiar with concepts like CVEs and NVDs and know how to track them. You know if a particular CVE affects the team and prioritize it accordingly.

Compliance

You’ve seen enough regulatory language to be able to translate it into basic technical requirements. You help your team comply with more complicated regulatory language with the help of an experienced translator.

Security advocacy

You’ve come up with some initial ways to effectively advocate for security best practices, although you’re still not quite sure how to best do so. You’re aware of common security pitfalls and can help the team avoid them.

Security engineer II

1. 
   Associate completed
2. 
   I completed
3. 
   II
4. 
   Senior not completed
5. 
   Staff not completed
6. 
   Principal not completed

With the experience you’ve acquired, you’ll be trusted and expected to handle most tasks without much guidance or support — although it’s there if you need it.

Skills needed for this level

Risk detection

You’re aware of a wide variety of potential project risks and detection methods, such as those from the OWASP Foundation. You’ve built those detection methods into every stage of the software development life cycle. You help the team prioritize remediations. You’re a source of expertise on your team.

Risk mitigation and prevention

You’ve built mitigations into each stage of the software development life cycle to systematically and consistently address risks with minimal oversight, such as automated vulnerability scanning or process controls. You ensure that every piece of infrastructure is consistently patched and dependencies are always versioned.

Research

You’re tapped in to multiple sources and you’re tracking all of the new CVEs — whether it’s GitHub issues, blogs, or Twitter, you’re there. You’re constantly evaluating anything that poses a project risk and informing the team accordingly.

Compliance

You’re adept at translating regulatory language into technical tasks. You know what compliance looks like and when you’ve achieved it.

Security advocacy

You know exactly where the team is falling short and you effectively advocate for best practices to address those shortcomings, such as “shifting left” on security tasks to build in security from the start. You raise the team’s overall security competency through both your words and actions.

Senior security engineer

1. 
   Associate completed
2. 
   I completed
3. 
   II completed
4. 
   Senior
5. 
   Staff not completed
6. 
   Principal not completed

A senior security engineer is a technical leader for the project. This means independently handling complex tasks, consistently striving for industry best practices, and serving as a mentor for more junior team members.

Skills needed for this level

Risk detection

You don’t need to be told what’s wrong — you proactively work with your team and stakeholders to surface project risk. You summarize both known and potential risks to the team and ensure they’re addressed.

Risk mitigation and prevention

You work with your team and stakeholders to lead remediation efforts for your project. If your project has particular compliance requirements, you translate them to technical requirements and make sure they get met. You take a failed security check personally.

Research

You’re adept at immediately addressing new vulnerabilities and ensuring that your application remains secure. Your team sees you as a research expert.

Compliance

You ensure your project is compliant with any regulatory requirement. You’re the compliance language expert, and you translate any requirement into a technical implementation that’s appropriate for the team and application.

Security advocacy

You’ve gotten the team to buy into cutting-edge DevOps principles, and the team is consistently adding secure, high-quality features.

Staff security engineer

1. 
   Associate completed
2. 
   I completed
3. 
   II completed
4. 
   Senior completed
5. 
   Staff
6. 
   Principal not completed

A staff software engineer takes the experience gained from previous project technical leadership and uses it to lead and align best practices and company initiatives across multiple teams.

Skills needed for this level

Risk detection

You’ve taken a project to production and you understand common and shared risks between projects. You ensure that multiple projects are detecting these risks in a repeatable systematic way.

Risk mitigation and prevention

You’ve taken a project to production and you understand common mitigation and prevention techniques that can be shared between projects. You ensure that multiple projects are appropriately prioritizing and implementing remediations in a standard way, and that they’re passing relevant security reviews.

Research

You’re constantly sharing your findings with Skylight as a whole and improving our security posture. You translate vulnerability findings into technical mitigations and help teams apply them across a variety of tech stacks.

Compliance

You’ve taken a project to production and you understand what that process looks like for other teams. You ensure that multiple projects meet our high bar for quality by helping teams prioritize and organize work to meet stakeholder requirements and deadlines. ATO, FISMA, HIPAA — these acronyms have become old friends.

Security advocacy

You’re an advocate for security best practices company-wide. You help multiple teams implement best practices and build a security-oriented development culture.

Principal security engineer

1. 
   Associate completed
2. 
   I completed
3. 
   II completed
4. 
   Senior completed
5. 
   Staff completed
6. 
   Principal

A principal security engineer leads in researching industry best practices and implementing them across the entire organization. You’re a technical leader in your field who helps Skylight recruit and retain amazing engineers. You’re able to define and drive organizational priorities and work effectively with our government colleagues.

Skills needed for this level

Risk detection

If there’s a vulnerability in a Skylight project, you already know about it. You’ve designed and applied a security review framework to the organization as a whole. You’re actively involved in the security requirements of every Skylight project and are critical to our success.

Risk mitigation and prevention

The buck stops here. You’re actively involved in the production requirements of every Skylight project and are critical to our success.

Research

You’ve achieved professional excellence. You’ve published papers, presented at conferences, or are otherwise a leader in the security research field.

Compliance

You’re a recognized expert on one or more regulatory frameworks. You draft Skylight policy and technical implementations for these frameworks. You directly impact Skylight’s financial success by ensuring projects comply with your policies.

Security advocacy

You’re a thought leader in the security field, and you’ve likely created or defined a best practice in the field. You standardize and advocate for best practices across Skylight.

See all roles