Lead Product Security Engineer

This is a fully remote position, open to applicants in United States.

📋 Description

• You will serve as the technical representative for product security at Aalyria, reporting directly to the Director of Security & IT.

• You will take ownership of application security, CI/CD, supply-chain security, our Kubernetes-based product infrastructure, product-side authentication, and PKI.

• You will collaborate closely with the hardware engineering team on Tightbeam.

• Focus areas include application and software security, SAST/DAST/SCA, secure SDLC, threat modeling, and managing software vulnerabilities throughout our codebase.

• Your responsibilities will encompass CI/CD and supply-chain security, enhancing our GitLab pipelines, ensuring build provenance, maintaining dependency integrity, signing, and implementing SLSA-aligned controls.

• You will ensure the security of our product infrastructure through GKE and Kubernetes hardening, container security, workload identity management, network policy enforcement, and runtime protection.

• You will manage the product PKI, overseeing certificate lifecycle management, issuance, rotation, and the architecture of mTLS across distributed services and remote assets.

• You will handle vulnerability management, including triage, prioritization, remediation tracking, and exception handling for both disclosed upstream issues and internal findings.

• You will lead product incident response efforts, managing triage and response for product-side security incidents, coordinating with corporate incident response, and facilitating post-mortems to drive actionable results.

• You will be responsible for product infrastructure hardening, including establishing baseline configurations, secure defaults, and compensating controls across product environments.

• You will partner with the Tightbeam team on hardware security, focusing on firmware security, secure boot processes, key storage, and maintaining hardware supply-chain integrity.

⛳️ Requirements

• You should have senior or staff-level hands-on experience in product security or security engineering, with a strong focus on software/AppSec.

• Proven production experience securing cloud environments, including IAM, organizational policy, VPC Service Controls, KMS, and in-depth knowledge of Kubernetes.

• A solid foundation in cryptography, PKI architecture, key management, signing, mTLS, and secrets handling at scale is essential.

• You should possess hands-on coding skills in Python, Bash, and Go, enabling you to write tooling, automate controls, and deploy Terraform/scripts as necessary.

• Comfort with code review is advantageous.

• A demonstrated history of building security programs, rather than merely operating tools established by others, is required.

• Experience leading product incident response activities, including triage, response, coordination with engineering teams, customer communications, and ownership of post-mortem processes is crucial.

• A consistent record of mentoring engineers and elevating the security standards of your teams, even without direct reports, is expected.

• Experience interfacing with hardware/firmware teams, even if hardware is not your primary area of expertise, is beneficial.

• Strong written communication skills are necessary, as you will be responsible for writing threat models, design documents, and program updates for executives, customers, and assessors.

• A working knowledge of compliance frameworks such as CMMC, FedRAMP, and DFARS is essential, along with the ability to translate controls into engineering tasks.

🏝️ Benefits

• Innovative Environment: Join a pioneering company that is shaping the future of aerospace communications.

• Impactful Work: Play a direct role in critical national security programs and initiatives.

• Growth Opportunities: Advance your career with ample professional development and advancement prospects.

• Inclusive Culture: Be part of a supportive, collaborative, and inclusive workplace where your contributions are valued.

• Flexibility: Enjoy flexible working arrangements, including hybrid remote/in-office schedules.