Principal Product Security Engineer
Rosslyn, VA or Remote
Shift5
Get powerful real-time insights and actionable analytics for aerospace, rail, and defense operations with Shift5's observability platform. Unlock complete onboard data access for all operations, maintenance, and cybersecurity teams.Description:
Shift5 is seeking an experienced and passionate Principal Product Security Engineer to join our growing team. In this role your primary focus will be developing strategies and techniques for our Product Security program. You will help establish and implement industry-leading security processes and practices at each phase of the hardware and software development lifecycle. You will design, implement, and review the security features, as well as perform source code audits, and security penetration testing of our products. You will identify vulnerabilities across our products and communicate those vulnerabilities and impacts to our Product and Engineering teams.
In this role you will play a crucial role in helping Shift5 defend critical national infrastructure, weapons platforms, and logistics by ensuring our products do not introduce new attack surfaces on these systems. This position reports to the Senior Director of Platform Security Engineering and resides in our Research organization, whose responsibilities include vulnerability research, product security and threat detection techniques for the current Operational Technology (OT) threat landscape.
You will be expected to build and implement a Product Security program from scratch that encompasses a very deep technical stack from proprietary hardware up to front-end software systems. You will guide and mentor other Product Security engineers to help implement the program alongside you. You will work closely with Product, Field, and DevOps Engineers to develop requirements for the program and then implement solutions for those requirements. You will be expected to adapt the program based on changing customer deployment configurations, rapid changes to products, and compliance and certification needs.
We are looking for someone with an insatiable appetite for learning who frequently explores ways to make the impossible possible. Someone who embraces uncertainty, thrives in the unknown, and views incomplete information as an opportunity. You should have a passion for hardening critical infrastructure systems, taking zero shortcuts when it comes to securing our products, and finding vulnerabilities/bugs. You must own what you build and understand the responsibility that comes with securing our products - it is a zero fail mission that could cause damage to real systems and people’s lives. Your mission is to ensure that our customers can trust our platform with their most sensitive operations and data. If this sounds like you, drop us a line because we’d love to start a conversation.
Shift5 is a rapidly growing cybersecurity scale-up. We specialize in cybersecurity technology for operational systems, data collection, and insights for a wide variety of operational systems. To put it simply, we defend planes, trains and tanks from cyberattack. We are a collaborative, passionate and driven cadre of cyber security experts. Our engineers are multidisciplinary and our team is dynamic. We’re a growing company focused on helping our customer’s fleets run smarter and safer by capitalizing on mountains of data resting right about the wheels. Come join us.
In this role you will be expected to:
- Architect a comprehensive Product Security program from scratch for a cybersecurity product that spans a deep technical stack.
- Develop internal processes and tooling to automate the analysis and testing of Shift5 hardware and software.
- Develop methods to detect vulnerabilities within the software supply chains that fuel our DevOps pipelines and products.
- Work with product engineers and field teams to develop a culture of secure software development standards and practices.
- Research, design, and implement a wide array of hardware and software product security features.
- Exhibit strong secure programming skills (C/C++, Python, and other languages)
- Understand best practices around operating system security (primarily Linux) and container security (using Docker, Docker Compose, Kubernetes, Podman, etc.).
- Regularly perform Shift5 source code audits, manage external 3rd party source code audits, write audit reports, recommend remediations, and validate post-remediation changes.
- Regularly perform white, gray, and black box IT & OT security penetration tests of Shift5 products.
- Assist in creating the necessary infrastructure to perform security penetration tests that include assessing the security of OT interfaces.
- Develop OT attack frameworks and tools that can perform simulated and/or real attack scenarios on serial bus networks e.g. bus protocol fuzzers, etc.
- Assist in vulnerability or risk remediation efforts through effective triaging of bug findings, coordinating Engineering’s response, and either guide teams through the implementation of fixes or implement them yourself.
- Perform risk assessments and mitigations of various product integrations into customer environments.
- Develop and maintain deep expertise on how our products are engineered.
- Analyze operational data, threat intelligence, and vulnerability insights of our customer platforms to continuously improve our Product Security.
- Assist with any investigations related to product security incidents in the field.
- Effectively collaborate across multiple organizations to communicate and execute the Product Security program.
- Create reports and records that describe the Product Security program, assist with compliance and certification needs/directives, and others as the program dictates.
- Be ready to learn and be flexible. You will be engaged in a wide variety of work in support of Shift5 priorities and products, which often change in a growing company.
- Travel into headquarters whenever needed to adjust the physical infrastructure or set up additional lab environments.
- Occasional travel to customer sites is expected.
We're looking for someone who is/has:
- BS or MS in Computer Science, Electrical Engineering, Computer Engineering, or equivalent.
- Experience in product and application security.
- Strong proficiency in secure software engineering using C/C++, Python, and other languages.
- Strong proficiency with container security using Docker, Docker Compose, Kubernetes, Podman, and associated assessment tools.
- Strong proficiency with a wide variety of SAST, DAST, IAST, vulnerability scanners, and other code vulnerability checkers.
- Strong proficiency with secure operating system principles, security controls, audit mechanisms, and tools for continuous monitoring - all within the context of Linux operating systems.
- Experience with a wide variety of DevOps tools (git, Gitlab, Gitlab-CI, Conan and other C/C++ package managers, Linux operating systems, etc.).
- Experience with penetration testing, red teaming, and/or vulnerability research, preferably within the OT space but not required.
- Familiarity with serial and embedded protocols such as MIL-STD-1553, ARINC 429, CAN, etc.
- Experience with developing cyber attack frameworks or tools, preferably for OT but not required.
- Experience with embedded, application, back-end, and front-end software systems. All areas are not expected but maximum coverage is preferred.
- Effective communication skills in both written and verbal formats.
- Collaborated across multiple organizations, particularly engineers, to remediate security vulnerabilities, implement new security features, and help prioritize product security requirements.
- Ability to navigate multiple competing priorities.
- Ability to quickly learn and deploy new technologies.
- Passion for securing products.
- US Citizenship
- Be able to obtain or hold a US Government Security Clearance
Compensation & Benefits:
- Competitive salary and stock options in a fast-growing startup
- Employer-paid medical, dental and vision coverage for employees and their families
- Health Savings Account with annual employer contributions
- 401k with employer contributions
- Employer-paid Life Insurance
- Uncapped paid time off policy
- Flexible work & remote work policy
- Tax-deferred public transit benefits with Metro SmartBenefits (DC/MD/VA)
We are committed to building an inclusive culture of belonging that embraces the diversity of our people and represents the communities in which we work and the customers we serve. We know the happiest and highest performing teams include people with diverse perspectives and ways of solving problems. We strive to attract and retain talent from all backgrounds and create workplaces where everyone feels empowered to bring their full, authentic selves to work.
Shift5 is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sexual orientation, gender identify, national origin, disability, age, marital status, ancestry, projected veteran status, or any other protected group or class.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Application security Audits Black box C C++ Clearance Compliance Computer Science DAST DevOps Docker IAST Kubernetes Linux Monitoring Pentesting Product security Python Risk assessment SAST Security Clearance Threat detection Threat intelligence Vulnerabilities
Perks/benefits: Career development Competitive pay Equity Flex vacation Health care Insurance Startup environment
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Specialist jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Senior Cyber Security Engineer jobs
- Open Principal Security Engineer jobs
- Open Staff Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Cyber Security Architect jobs
- Open Product Security Engineer jobs
- Open Senior Information Security Analyst jobs
- Open Cyber Security Specialist jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Cybersecurity Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Chief Information Security Officer jobs
- Open Cybersecurity Consultant jobs
- Open IT Security Analyst jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Security Specialist jobs
- Open Senior Penetration Tester jobs
- Open Security Researcher jobs
- Open Senior Security Architect jobs
- Open Cybersecurity Specialist jobs
- Open Sr. Security Engineer jobs
- Open Security Operations Analyst jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open ISO 27001-related jobs
- Open Pentesting-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open Malware-related jobs
- Open DevOps-related jobs
- Open Security Clearance-related jobs
- Open IDS-related jobs
- Open EDR-related jobs
- Open CEH-related jobs
- Open Forensics-related jobs
- Open Kubernetes-related jobs