Ruby Central is looking for a Senior Software Engineer to focus on Security needs to join our RubyGems team to help protect and secure key infrastructure that powers the Ruby ecosystem: RubyGems, Bundler, and RubyGems.org.
This role is ideal for an experienced security engineer who is passionate about open source, deeply familiar with Ruby and Ruby on Rails, and eager to support critical tools used by Rubyists every day.
Responsibilities
Participate in planning and execution for a security roadmap to sustainably improve the supply chain security of the Ruby package management ecosystem.
Formalize existing security practices, and help Ruby projects become more proactive with regards to security improvements
Establish new processes and features that make it easier to prevent, detect, and respond to security risks, to make it easier and more sustainable for the community to identify and address security issues going forward
Contribute to security policies for the RubyGems.org service, soliciting and considering input from the community and security experts.
Participate in relevant working groups and meetings with ecosystem stakeholders and funding partners
Design, build, and maintain features in RubyGems, Bundler, and RubyGems.org.
Collaborate with maintainers and contributors across the ecosystem to address bugs, security issues, and new feature requests.
Monitor and support the AWS-based infrastructure, including automating operations and improving deployment pipelines.
Accept on-call shifts for security or other emergency incidents.
Participate in community discussions, RFCs, and technical planning for future enhancements to Ruby’s packaging ecosystem.
Support and mentor community contributors and volunteers.
5+ years of hands-on experience in security engineering, with a strong background in infrastructure and cloud security.
Deep proficiency in the Ruby programming language and the Ruby on Rails framework.
Expertise in securing cloud environments AWS, including VPC/network security, IAM policies, container security (Kubernetes, Docker), and serverless architectures.
Expert-level knowledge of web application vulnerabilities (OWASP Top 10 and beyond) and deep familiarity with the security nuances of Ruby on Rails (e.g., mass assignment, SQLi, XSS, CSRF in a Rails context).
Demonstrated experience building and implementing security automation using scripting languages (e.g., Bash, Ruby) to reduce manual work.
Proficiency with Infrastructure as Code (IaC) and its security implications (e.g., Terraform, CloudFormation), including experience with IaC scanning tools.
Hands-on experience with security tooling such as SAST, DAST, IAST, and infrastructure scanning tools.
Experience designing and implementing security monitoring solutions (SIEM, log analysis) and leading incident response efforts, from detection to post-mortem.
Excellent communication skills, with the ability to mentor junior engineers and clearly articulate complex security risks to both technical and non-technical stakeholders.
Experience with package manager or software distribution security. Knowledge of standards like SLSA or Sigstore is a major plus.
Active participation and contributions in open source communities, particularly Ruby
Experience with penetration testing and vulnerability research
Background in threat modeling and security architecture
Working at Ruby Central means working at the heart of the Ruby community. You’ll help steward some of the most important open source infrastructure in our ecosystem, collaborate with an engaged and passionate community, and help shape the future of Ruby development.
We value sustainability, community care, and transparency. We strive to make working on open source rewarding and impactful for both our team and the wider ecosystem.
Clear Capital
Hudson IT and Manpower
Writer
GuidePoint Security
Everbridge
Ruby Central
Ruby Central
Ruby Central