Embedded Product Security Engineer

Eagle Wireless 

📍 Minneapolis, United States 🇺🇸

full-time
mid-level
Posted —

Key Skills

PythonSBOMCI/CDBinwalkGhidra

Industry

Consumer ElectronicsTelecommunications

Job Description

Eagle Wireless is a connectivity company delivering secure, reliable, and scalable cellular modules and solutions for automotive and IoT applications. With a strong presence in the United States and global R&D teams across North America, Europe, and APAC, Eagle Wireless supports customers worldwide with long-life, compliant, and cyber-secure connectivity products. Focused on trust, supply chain resilience, and regulatory compliance, Eagle Wireless helps OEMs, Tier 1 suppliers, and IoT innovators deploy connected technologies with confidence in an increasingly complex global environment.


We are looking for: Embedded Product Security Engineer


This is a hands-on technical role. You will write and run code, operate tooling in containers, generate customer-facing reports, and work directly with firmware and software engineers to remediate findings. You will also be a key contributor to our CI/CD pipeline, embedding security analysis at the build stage rather than as an afterthought.


Key responsibilities:

CVE triage and vulnerability management

  • Monitor CVE feeds and security advisories relevant to our component stacks across all product lines
  • Triage incoming CVEs against maintained SBOMs, assess exploitability, and determine applicability per product
  • Author and deliver VEX (Vulnerability Exploitability eXchange) documents to customers within required timelines
  • Maintain component inventory as products evolve through their lifecycle
  • Operate and maintain vulnerability management tooling (e.g. Dependency-Track or equivalent)


SBOM generation and maintenance

  • Generate and maintain accurate SBOMs (CycloneDX / SPDX) for all 20+ product lines
  • Integrate SBOM generation into CI/CD pipelines so artifacts are produced automatically at build time
  • Deliver SBOMs to customers in required formats (CycloneDX, SPDX) on agreed cadences
  • Track third-party component updates, license changes, and EOL status across the product portfolio


Secure CI/CD and DevSecOps integration

  • Work with platform and DevOps engineers to integrate security tooling into build pipelines
  • Deploy and maintain source code static analysis tools (e.g. Coverity, Clang Static Analyzer) and binary analysis tools (e.g. Binwalk, Finite State, Binary Ninja) — selecting the right tool for the analysis context
  • Implement and manage code signing and binary signing workflows for firmware and software releases, including key management and certificate lifecycle
  • Define and enforce security gates in the pipeline — builds that introduce new critical findings do not ship
  • Support secret scanning, dependency checking, and licence compliance tooling in CI
  • Maintain reproducible, containerised analysis environments so tooling runs consistently across dev, CI, and ad-hoc investigation contexts


Firmware and hardware security analysis

  • Perform or coordinate binary firmware analysis using tools such as Binwalk, Ghidra, Binary Ninja, and Finite State to identify vulnerabilities, hardcoded credentials, and insecure configurations
  • Conduct or support source code security review of C/C++ and embedded codebases, identifying memory safety issues, unsafe function usage, and logic flaws
  • Assess hardware debug interfaces (UART, JTAG, SWD) for exposure and insecure defaults; document findings and work with hardware engineers on mitigations
  • Evaluate boot security: secure boot, chain-of-trust, and firmware signing enforcement
  • Identify and triage vulnerabilities specific to cellular module threat models — baseband exposure, AT command surface, modem firmware, and OTA update security
  • Produce structured technical findings reports from firmware and hardware analysis, suitable for engineering remediation and customer-facing disclosure where required


Reporting and automation

  • Write Python scripts and tooling to automate vulnerability report generation for customer delivery
  • Build and maintain containerised analysis workflows that can be run reliably across different environments
  • Produce clear, accurate security reports suitable for both technical and non-technical customer contacts
  • Maintain dashboards and metrics for internal tracking of vulnerability status across the product portfolio


Customer and cross-functional support

  • Produce technical security data packages — SBOMs, VEX documents, and scan results — for customer delivery
  • Provide technical input to penetration test scoping and support findings review
  • Work with firmware and software engineers to communicate vulnerability findings clearly and track remediation
  • Ensure outputs (SBOMs, VEX documents, reports) meet the technical requirements of CRA


Required qualifications

  • 3+ years in a product security, application security, or security engineering role
  • Hands-on Python development — you write scripts and tooling, not just configure dashboards
  • Practical experience with SBOM formats (CycloneDX, SPDX) and VEX
  • Working knowledge of CVE, CVSS, and vulnerability triage methodology
  • Experience with container-based workflows — building, running, and debugging containers (Docker, Podman)
  • Familiarity with CI/CD systems (Jenkins, Bitbucket Pipelines, Gerrit, or similar) and integrating security tooling into pipelines
  • Experience with source code static analysis tools (e.g. Coverity, Clang Static Analyzer) — able to tune rules, review findings, and distinguish true positives from noise
  • Hands-on experience with binary firmware analysis tooling — Binwalk for unpacking and filesystem extraction, Ghidra or Binary Ninja for reverse engineering and disassembly
  • Practical understanding of hardware debug interfaces: UART, JTAG, and SWD — what they expose, how to assess them, and how to advise on hardening
  • Understanding of code signing, certificate management, and PKI as applied to firmware or software releases
  • Strong written communication — you will author documents that go directly to customers


Preferred qualifications

  • Experience in an embedded systems, firmware, or hardware product company — cellular, IoT, or industrial preferred
  • Familiarity with cellular module threat models: AT command attack surface, baseband firmware, SIM/eSIM security, and OTA update mechanisms
  • Experience with Finite State or similar commercial firmware security analysis platforms
  • Reverse engineering experience with Ghidra, Binary Ninja, or IDA Pro — able to navigate disassembly and identify security-relevant code paths
  • Experience testing or assessing hardware debug interfaces (UART, JTAG, SWD) in a lab setting
  • Knowledge of EU Cyber Resilience Act requirements and obligations
  • Experience with Dependency-Track, Grype, Syft, or similar open-source vulnerability management platforms
  • Exposure to OpenVEX or other machine-readable VEX formats
  • Understanding of firmware supply chain security concepts (SLSA, sigstore, reproducible builds)
  • Relevant certifications: GREM, GPEN, CSSLP, CompTIA Security+, or similar — firmware/hardware focus preferred
  • Comfortable in a lab environment — able to work with hardware, connect to debug interfaces, and run tooling on physical devices


What success looks like

30 days - Understand our product portfolio, component stacks, and current SBOM coverage. Identify the largest gaps in our CVE triage process.

90 days - Vulnerability management tooling deployed. SBOM generation automated for at least a subset of product lines. First VEX documents delivered to customers.

6 months - Security gates active in CI/CD. Binary signing integrated. All active products have maintained SBOMs. CVE triage running as a steady-state program rather than reactive firefighting.

12 months - Full product security tooling stack operational and producing consistent outputs. Customer SBOM and VEX delivery running as a steady-state automated program. Product security posture measurably improved and demonstrable through data.