Staff Security Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will  provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview:
We’re looking for a Staff Security Engineer to scale our software security program, embedding security into how we design, build, and ship software. This is a high-impact, hands-on leadership role where you'll own key initiatives across static code analysis (SAST), software composition analysis (SCA), and secrets detection and management.
You’ll work closely with engineering, DevOps, and security teams to integrate tools into our CI/CD pipelines, shape secure architecture decisions, and empower developers to build secure software without slowing down delivery. If you're passionate about enabling secure innovation at scale, this role gives you the platform to drive meaningful change across the engineering ecosystem.

Key Responsibilities:
Software Security Program Leadership

• Drive the maturity of our secure development practices through clear policies, standards, and technical integrations. Foster the adoption of DevSecOps principles across engineering teams.

Security Automation

• Build security automation and orchestration to streamline testing, alerting, and remediation—accelerating resolution and reducing manual burden on developers.

CI/CD Pipeline Integration

• Embed and optimize SAST, DAST, SCA, and secrets scanning tools into CI/CD workflows to ensure fast, automated security feedback throughout the development lifecycle.

Static Application Security Testing (SAST)

• Configure, manage, and scale SAST tools. Work with engineers to triage results, remediate findings, and promote secure-by-default design patterns.

Software Composition Analysis (SCA)

• Operate and enhance SCA tools to manage open-source and third-party component risk—including known vulnerabilities, license compliance, and supply chain exposure.

Secrets Scanning & Management

• Detect and prevent credential leakage in code and configurations. Champion secure secrets management using tools like Vault, CyberArk, and GitLeaks.

Mentorship & Enablement

• Act as a technical mentor to developers and junior security engineers. Provide guidance on secure coding practices, tooling, and threat modeling.

Required Qualifications:

• Bachelor’s degree in Computer Science, Information Security, or a related field or equivalent practical experience.
• 8+ years of experience in Software Security, Application Security, or Security Engineering, with several years in senior or lead roles.
• Proven experience leading secure software initiatives and integrating security into CI/CD pipelines.
• Hands-on expertise with SAST tools such as GHAS, Semgrep, Veracode, Checkmarx.
• Experience operating SCA tools such as Snyk, OWASP Dependency-Check, Mend, Black Duck.
• Strong background in secrets detection and management (e.g., GitLeaks, TruffleHog, Vault, CyberArk).
• Proficiency in scripting using languages like Python, Bash, PowerShell, Go.
• Solid understanding of cloud security fundamentals (AWS, Azure, or GCP).
• Strong communication and collaboration skills; ability to work with both technical and executive stakeholders.
• Demonstrated leadership and mentorship experience.

Preferred Qualifications:

• Master’s degree in a relevant technical field.
• Advanced certifications (e.g., OSCP, CISSP-ISSAP/ISSEP, CSSLP, GCSA, GWEB, GDSA).
• Experience securing Infrastructure as Code (IaC) using tools like Terrascan, Checkov, and frameworks like Terraform or Pulumi.
• Familiarity with Dynamic and Interactive Application Security Testing (DAST, IAST).
• Experience building security dashboards and reporting metrics to senior leadership.
• Contributions to open-source security tools or published research in application security.

Recruiter:

Please note that the compensation information is made in good faith for this position only.  It assumes that the successful candidate will be located in markets within the United States that warrant the compensation.  Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Compensation decisions will not be based on a candidate's salary history. You can learn more here.

This job description outlines the primary responsibilities, some essential job functions, and qualifications for the role. It may not include all essential functions, tasks, or requirements. If you are a qualified individual with a disability and you need reasonable accommodation during the hiring process or to perform this role, please contact us at candidateaccommodations@sunrun.com.

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind.  We believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. Learn more here: EEO | Sunrun