Lead Product Security Engineer

📋 Description

• You will serve as the technical authority on product security at Aalyria, reporting directly to the Director of Security & IT.

• You will take ownership of application security, CI/CD processes, supply-chain security, our Kubernetes-based product infrastructure, as well as product-side authentication and PKI.

• You will collaborate closely with the hardware engineering team on Tightbeam.

• Responsibilities include application & software security, encompassing SAST/DAST/SCA, secure SDLC, threat modeling, and software vulnerability management throughout our codebase.

• Focus on CI/CD and supply-chain security by enhancing our GitLab pipelines, ensuring build provenance, maintaining dependency integrity, signing, and implementing SLSA-aligned controls.

• Ensure the security of our product infrastructure through GKE and Kubernetes hardening, container security, workload identity, network policy, and runtime protection.

• Manage product PKI, including certificate lifecycle management, issuance, rotation, and mTLS architecture across distributed services and remote assets.

• Oversee vulnerability management, handling triage, prioritization, remediation tracking, and exception handling for both disclosed upstream issues and internal findings.

• Direct product incident response efforts, leading triage and response for product-side security incidents while coordinating with corporate IR and facilitating post-mortems to implement improvements.

• Enhance product infrastructure by establishing baseline configurations, secure defaults, and compensating controls across product environments.

• Partner with the Tightbeam team on hardware security, focusing on firmware security, secure boot processes, key storage, and hardware supply-chain integrity.

⛳️ Requirements

• Proven senior- or staff-level hands-on experience in product security or security engineering, with a substantial focus on software/AppSec.

• Experience securing cloud environments with in-depth knowledge of IAM, organization policies, VPC Service Controls, KMS, and Kubernetes.

• Strong understanding of cryptography, including PKI architecture, key management, signing, mTLS, and secrets handling at scale.

• Proficiency in coding with Python, Bash, and Go; capable of developing tooling, automating controls, and deploying Terraform/scripts as needed.

• Ability to review code is a plus.

• A history of developing security programs rather than merely operating existing tools.

• Experience in leading product incident responses, including triage, coordination with engineering teams, managing customer communications, and owning post-mortems.

• A consistent pattern of mentoring engineers and enhancing the security standards of teams around you, even without direct reports.

• Familiarity with interfacing with hardware/firmware teams, even if hardware isn't your primary focus.

• Exceptional written communication skills, capable of producing threat models, design documents, and program updates for executives, customers, and assessors.

• Working knowledge of compliance frameworks governing our environment, such as CMMC, FedRAMP, and DFARS, along with the ability to translate controls into actionable engineering tasks.

🏝️ Benefits

• Innovative Environment: Join a cutting-edge company that is defining the future of aerospace communications.

• Impactful Work: Play a direct role in significant national security programs and initiatives.

• Growth Opportunities: Advance your career with various professional development and advancement opportunities.

• Inclusive Culture: Become part of a collaborative, supportive, and inclusive workplace where your input is valued.

• Flexibility: Enjoy flexible working arrangements, including hybrid remote/in-office schedules.