Principal Product Security Engineer

Description: 

Shift5 is seeking an experienced and passionate Principal Product Security Engineer to join our growing team. In this role your primary focus will be developing strategies and techniques for our Product Security program. You will help establish and implement industry-leading security processes and practices at each phase of the hardware and software development lifecycle. You will design, implement, and review the security features, as well as perform source code audits, and security penetration testing of our products. You will identify vulnerabilities across our products and communicate those vulnerabilities and impacts to our Product and Engineering teams. 

In this role you will play a crucial role in helping Shift5 defend critical national infrastructure, weapons platforms, and logistics by ensuring our products do not introduce new attack surfaces on these systems. This position reports to the Senior Director of Platform Security Engineering and resides in our Research organization, whose responsibilities include vulnerability research, product security and threat detection techniques for the current Operational Technology (OT) threat landscape. 

You will be expected to build and implement a Product Security program from scratch that encompasses a very deep technical stack from proprietary hardware up to front-end software systems. You will guide and mentor other Product Security engineers to help implement the program alongside you. You will work closely with Product, Field, and DevOps Engineers to develop requirements for the program and then implement solutions for those requirements. You will be expected to adapt the program based on changing customer deployment configurations, rapid changes to products, and compliance and certification needs. 

We are looking for someone with an insatiable appetite for learning who frequently explores ways to make the impossible possible. Someone who embraces uncertainty, thrives in the unknown, and views incomplete information as an opportunity. You should have a passion for hardening critical infrastructure systems, taking zero shortcuts when it comes to securing our products, and finding vulnerabilities/bugs. You must own what you build and understand the responsibility that comes with securing our products - it is a zero fail mission that could cause damage to real systems and people’s lives. Your mission is to ensure that our customers can trust our platform with their most sensitive operations and data. If this sounds like you, drop us a line because we’d love to start a conversation.

Shift5 is a rapidly growing cybersecurity scale-up. We specialize in cybersecurity technology for operational systems, data collection, and insights for a wide variety of operational systems. To put it simply, we defend planes, trains and tanks from cyberattack. We are a collaborative, passionate and driven cadre of cyber security experts. Our engineers are multidisciplinary and our team is dynamic. We’re a growing company focused on helping our customer’s fleets run smarter and safer by capitalizing on mountains of data resting right about the wheels. Come join us.

In this role you will be expected to:

• Architect a comprehensive Product Security program from scratch for a cybersecurity product that spans a deep technical stack.
• Develop internal processes and tooling to automate the analysis and testing of Shift5 hardware and software.
• Develop methods to detect vulnerabilities within the software supply chains that fuel our DevOps pipelines and products.
• Work with product engineers and field teams to develop a culture of secure software development standards and practices.
• Research, design, and implement a wide array of hardware and software product security features. 
• Exhibit strong secure programming skills (C/C++, Python, and other languages)
• Understand best practices around operating system security (primarily Linux) and container security (using Docker, Docker Compose, Kubernetes, Podman, etc.). 
• Regularly perform Shift5 source code audits, manage external 3rd party source code audits, write audit reports, recommend remediations, and validate post-remediation changes. 
• Regularly perform white, gray, and black box IT & OT security penetration tests of Shift5 products. 
• Assist in creating the necessary infrastructure to perform security penetration tests that include assessing the security of OT interfaces. 
• Develop OT attack frameworks and tools that can perform simulated and/or real attack scenarios on serial bus networks e.g. bus protocol fuzzers, etc. 
• Assist in vulnerability or risk remediation efforts through effective triaging of bug findings, coordinating Engineering’s response, and either guide teams through the implementation of fixes or implement them yourself.
• Perform risk assessments and mitigations of various product integrations into customer environments.
• Develop and maintain deep expertise on how our products are engineered. 
• Analyze operational data, threat intelligence, and vulnerability insights of our customer platforms to continuously improve our Product Security. 
• Assist with any investigations related to product security incidents in the field. 
• Effectively collaborate across multiple organizations to communicate and execute the Product Security program.
• Create reports and records that describe the Product Security program, assist with compliance and certification needs/directives, and others as the program dictates. 
• Be ready to learn and be flexible. You will be engaged in a wide variety of work in support of Shift5 priorities and products, which often change in a growing company.
• Travel into headquarters whenever needed to adjust the physical infrastructure or set up additional lab environments.
• Occasional travel to customer sites is expected. 

We're looking for someone who is/has:

• BS or MS in Computer Science, Electrical Engineering, Computer Engineering, or equivalent.
• Experience in product and application security.
• Strong proficiency in secure software engineering using C/C++, Python, and other languages.
• Strong proficiency with container security using Docker, Docker Compose, Kubernetes, Podman, and associated assessment tools.
• Strong proficiency with a wide variety of SAST, DAST, IAST, vulnerability scanners, and other code vulnerability checkers.  
• Strong proficiency with secure operating system principles, security controls, audit mechanisms, and tools for continuous monitoring - all within the context of Linux operating systems.
• Experience with a wide variety of DevOps tools (git, Gitlab, Gitlab-CI, Conan and other C/C++ package managers, Linux operating systems, etc.).
• Experience with penetration testing, red teaming, and/or vulnerability research, preferably within the OT space but not required.
• Familiarity with serial and embedded protocols such as MIL-STD-1553, ARINC 429, CAN, etc.
• Experience with developing cyber attack frameworks or tools, preferably for OT but not required. 
• Experience with embedded, application, back-end, and front-end software systems. All areas are not expected but maximum coverage is preferred.
• Effective communication skills in both written and verbal formats.
• Collaborated across multiple organizations, particularly engineers, to remediate security vulnerabilities, implement new security features, and help prioritize product security requirements.
• Ability to navigate multiple competing priorities. 
• Ability to quickly learn and deploy new technologies. 
• Passion for securing products. 
• US Citizenship
• Be able to obtain or hold a US Government Security Clearance

Compensation & Benefits:

• Competitive salary and stock options in a fast-growing startup
• Employer-paid medical, dental and vision coverage for employees and their families
• Health Savings Account with annual employer contributions
• 401k with employer contributions
• Employer-paid Life Insurance
• Uncapped paid time off policy
• Flexible work & remote work policy
• Tax-deferred public transit benefits with Metro SmartBenefits (DC/MD/VA)

We are committed to building an inclusive culture of belonging that embraces the diversity of our people and represents the communities in which we work and the customers we serve. We know the happiest and highest performing teams include people with diverse perspectives and ways of solving problems. We strive to attract and retain talent from all backgrounds and create workplaces where everyone feels empowered to bring their full, authentic selves to work. 

Shift5 is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sexual orientation, gender identify, national origin, disability, age, marital status, ancestry, projected veteran status, or any other protected group or class.