Embedded Product Security Engineer

Embedded Product Security Engineer

Location: Remote (Seattle, WA; Portland, OR; Jacksonville, FL) Employment Type: Full-time Salary: $100,000 - $150,000/year Experience Level: Mid-level (3-4 years) Education: Bachelor’s Degree

About Softgent Our mission is to harness the power of breakthrough technology and match it with practical, effective solutions. We are committed to pushing the boundaries of what’s possible, providing our clients with innovative products and services that are at the cutting edge of engineering. We strive to create value through ingenuity, dedicated to delivering excellence and fostering progress with every project we undertake.

Role Overview We are looking for an experienced Embedded Product Security Engineer to strengthen the security posture of our embedded software products and development ecosystem. In this role, you will work at the intersection of embedded software engineering, cybersecurity, and DevSecOps, helping development teams build secure, compliant, and maintainable products.

You will be responsible for implementing and operating vulnerability management processes, integrating security tooling into CI/CD pipelines, supporting secure software supply chain practices, and collaborating closely with engineering teams across complex embedded environments.

This position requires strong hands-on expertise in embedded C/C++ ecosystems, static analysis, software composition analysis, SBOM management, and automation using modern DevSecOps practices.

Key Responsibilities

• Vulnerability Management: Build and maintain end-to-end vulnerability management processes, including centralized vulnerability tracking, ownership assignment, traceability, CVE monitoring, triage and prioritization, and false-positive management.
• Security Tooling Configuration: Configure, maintain, and optimize SAST and SCA tooling for embedded C/C++ projects using Veracode, Veracode SCA, yocto-cve-check, and related security tooling.
• Static Analysis Preparation: Prepare embedded C/C++ codebases for static analysis by managing preprocessing, compilation environments, debug symbols, and analysis requirements.
• SBOM Management: Generate and maintain Software Bills of Materials (SBOMs) using standards such as CycloneDX and SPDX.
• CI/CD Integration: Integrate security controls and automated security gates into CI/CD workflows using GitHub Actions, reusable workflows, composite actions, and infrastructure automation.
• Repository Migration: Support software repository migrations into GitHub from legacy platforms including SVN, Bitbucket, and GitLab.
• Embedded Environment Support: Work across heterogeneous embedded environments and toolchains, including Yocto, Buildroot, RTOS, bare-metal systems, CMake, Make, GCC ARM, IAR, and vendor SDKs/HALs.
• Automation Development: Develop automation and engineering tooling using Python, Bash, and Linux command-line environments.
• Collaboration: Collaborate closely with software teams and technical stakeholders to explain security findings, improve remediation workflows, and support secure development practices.
• Compliance: Contribute to secure software development lifecycle (SSDLC) initiatives and product compliance activities.

Requirements

• Experience: Proven experience in Product Security, DevSecOps, Secure Software Engineering, or Security Compliance.
• Vulnerability Management: Strong practical knowledge of vulnerability management, SAST/SCA workflows, CVE monitoring, risk prioritization, and false-positive handling.
• Tooling Expertise: Hands-on experience with static and software composition analysis tools for C/C++ projects, especially Veracode and Veracode SCA.
• Analysis Preparation: Experience preparing embedded C/C++ projects for automated security analysis.
• Supply Chain Security: Knowledge of SBOM generation standards and software supply chain security practices.
• CI/CD Integration: Experience integrating security tooling into CI/CD pipelines, preferably with GitHub Actions.
• Version Control: Strong GitHub experience, including repository administration and migrations from legacy VCS platforms.
• Embedded Knowledge: Solid understanding of embedded software development environments, including embedded Linux, RTOS, bare-metal firmware, cross-compilation toolchains, and embedded build systems.
• Scripting: Practical scripting and automation skills using Python, Bash, and Linux tooling.
• Communication: Strong communication skills and ability to collaborate effectively across multidisciplinary engineering teams.
• Independence: Ability to work independently in complex, legacy, or heterogeneous technical environments.

Nice to Have

• Experience with FreeRTOS, Zephyr, Buildroot, Yocto ecosystem security, firmware signing, secure boot, or supply chain security frameworks.
• Familiarity with ISO 21434, IEC 62443, FDA cybersecurity guidance, or other product-security-related standards.
• Experience supporting compliance or certification activities.

Preferred Certifications

• CISSP
• CEH
• Security+
• CISM
• CISA

Skills

• Embedded C/C++
• DevSecOps
• Vulnerability Management
• Static Analysis
• Software Supply Chain

Language

• English