Senior/Staff Program Analysis Engineer, Supply Chain

About the role

As a Program Analysis Engineer on Semgrep's Supply Chain team, you'll lead the development of advanced code analysis capabilities that power our dependency vulnerability detection tools. Other supply chain management tools exist, but they produce far too much noise to be useful or efficient. Security teams may file through thousands of vulnerabilities, informing developers that hundreds of their dependencies have introduced critical vulnerabilities and need updating, when in reality they are not even using those dependencies in a vulnerable way. Perhaps you’ve even felt this pain yourself!

Our goal is to cut through the noise: to make it easy to find and remediate the 2% of vulnerabilities that are actually reachable given the way our customers’ use their dependencies. We work to make supply chain security as simple and intuitive for our users as possible so developers can focus on their own mission.

You’ll learn about the application-security space, mentor other engineers on program analysis and functional programming, and collaborate with product managers and other engineers to create security tools our customers love. Through Semgrep's culture of transparency, you'll see and influence the decisions that make a startup successful. Your technical leadership will be key to making Semgrep a world-leading static-analysis project, giving you lasting influence not only at Semgrep, but in the world's developer community.

You will:

• Code! Make fundamental improvements to Semgrep’s analysis capabilities to enhance the supply chain product offering
• Help set technical and product direction, collaborating with the team to determine the future of the product, what features to build, and how to build them
• Contribute to the technical roadmap for our foundational analysis, listening to our users as well as program analysis engineers and security researchers across the company
• Understand our product roadmap, advocating for improvements to semgrep’s static analysis on behalf of our users and to address supply-chain-specific product gaps
• Advise and mentor other engineers via thoughtful code reviews, planning discussions, technical documentation, and formal mentorship

You are ideal for this role if you have:

• 5+ years of experience with program analysis, static analysis tools, or compiler development
• Experience working in a functional programming language (OCaml, Haskell, F#)
• Technical leadership experience guiding cross-functional teams through complex engineering initiatives
• Passion for shipping quickly and safely, caring deeply about solving real problems for our users and allowing them to depend on us
• Strong understanding of software dependency management across multiple ecosystems (cargo, npm, pip, etc)
• Excellent and proactive communication, both verbal and written

Some examples projects you might work on include:

• Enhance semgrep’s callgraph analysis to better handle virtual calls, dynamic dispatch, and context sensitivity to make our vulnerability detection more precise
• Provide actionable remediation guidance for vulnerabilities in third-party dependencies
• Maintain a database of callgraphs for third-party packages that we can query and stitch in real time
• Work to identify undeclared dependencies (aka phantom dependencies) in customer projects to understand the full scope of their supply chain
• Identify and analyze software dependencies supplied as binaries or bytecode
• Identify breaking changes between different package versions according to customers’ usage of a dependency (callgraphs)

Compensation 

Salary Range: $166,000-238,000 USD

Our compensation package includes equity and benefits in addition to salary.

Please note that the range listed is for someone based in the San Francisco Bay Area.