Semgrep

Senior Program Analysis Engineer, Code

Remote

Not SpecifiedCompensation
Senior (5 to 8 years)Experience Level
Full TimeJob Type
UnknownVisa
Cybersecurity, Software Security, Application SecurityIndustries

Position Overview

  • Location Type: Not specified
  • Job Type: Not specified
  • Salary: $176,000-207,000 USD (for San Francisco Bay Area)

Semgrep is seeking a Program Analysis Engineer to join their Code product team. This role involves building user-facing security tools to enhance software security. You will expand Semgrep's static analysis capabilities, improve engine speed, and add new analysis features to detect vulnerabilities. The position offers opportunities to learn about application security, mentor junior developers, and collaborate with product managers, security researchers, and engineers. You will influence the technical and product direction of Semgrep's foundational analysis and contribute to making it a world-leading static-analysis project.

Requirements

  • 4+ years of software development experience, with at least 3 years focusing on program static analysis or equivalent academic experience (e.g., PhD).
  • Experience working in a functional programming language (OCaml, Haskell, Rust, F#).
  • Technical leadership experience guiding cross-functional teams through complex engineering initiatives.
  • Passion for shipping quickly and safely, solving real user problems, and enabling user dependability.
  • Excellent and proactive communication skills, both verbal and written.

Responsibilities

  • Make fundamental improvements to Semgrep’s analysis capabilities to enhance the Code product line.
  • Help set technical and product direction, collaborating with the team on product features and implementation.
  • Contribute to the technical roadmap for foundational analysis, incorporating user feedback and insights from program analysis engineers and security researchers.
  • Learn from users to understand their needs, build products to keep them secure, and help them scale their security programs.
  • Advise and mentor other engineers through code reviews, planning discussions, technical documentation, and formal mentorship.

Example Projects

  • Enhance field-sensitivity in Semgrep's taint analysis engine or enable taint tracking through function callbacks in Javascript.
  • Design a new rule syntax in conjunction with Security Researchers to simplify rule writing for common frameworks.
  • Add new features to the IDE experience for the Code product.

Company Information

Semgrep is on a mission to make it expensive to exploit software. As the team behind the most popular SAST, Semgrep built the Semgrep AppSec Platform to deliver industry-leading code, dependency, and secrets scanning, enabling organizations to ship secure code quickly without slowing down development. Leading companies like Snowflake, Plaid, Figma, Lyft, and Dropbox rely on Semgrep. The company is funded by top investors including Felicis Ventures, Lightspeed Venture Partners, Menlo Ventures, Redpoint Ventures, and Sequoia Capital.

Compensation & Benefits

  • Salary Range: $176,000-207,000 USD (for San Francisco Bay Area).
  • Compensation package includes equity and benefits in addition to salary.
  • Semgrep aims to competitively and fairly compensate all employees with a system that rewards those who are vocal and those who are less comfortable making demands.

Skills

Static Analysis
Security Tools Development
Programming Languages (e.g., multiple languages for static analysis)
Vulnerability Detection
Code Analysis
Collaboration with Product Managers and Security Researchers
Mentoring Junior Developers

Semgrep

Vulnerability detection tool for software development

About Semgrep

Semgrep offers a tool that helps security engineers and developers identify and fix vulnerabilities in their code before deployment. It integrates into existing workflows, providing actionable insights while significantly reducing false positives in open-source vulnerabilities by up to 98% through reachability analysis. The tool is designed for speed, with average scan times of less than 5 minutes, allowing teams to quickly address security issues. Semgrep aims to enhance the security of the software development life cycle, improving productivity and reducing technical debt.

San Francisco, CaliforniaHeadquarters
2017Year Founded
$90.5MTotal Funding
SERIES_CCompany Stage
Enterprise Software, CybersecurityIndustries
51-200Employees

Benefits

Health Insurance
Paid Vacation
401(k) Retirement Plan
Professional Development Budget
Flexible Work Hours
Remote Work Options

Risks

Increased competition from Snyk and GitGuardian in the code analysis market.
Rapid evolution of programming languages may outpace Semgrep's tool updates.
Customer concerns about data privacy in cloud-based solutions could affect adoption.

Differentiation

Semgrep reduces false positives in vulnerabilities by up to 98% with reachability analysis.
The tool integrates seamlessly into existing workflows and ticketing systems for developers.
Average scan time is under 5 minutes, enhancing productivity and efficiency.

Upsides

Increased demand for supply chain security tools boosts Semgrep's market potential.
Rise of DevSecOps practices aligns with Semgrep's focus on SDLC security integration.
Growing popularity of IaC tools presents expansion opportunities for Semgrep.

Land your dream remote job 3x faster with AI