Senior Product Security Engineer

Milwaukee, Wisconsin, United States
Chelmsford, Massachusetts, United States

The Product Security Engineer secures embedded products, firmware, and industrial components across the full product lifecycle. Your role combines firmware security, secure architecture, reverse engineering, and secure development lifecycle practices. You will report to the Product Security Leader/Officer (PSL) and partner with engineering teams through the engineering Vee to mature security controls in high-visibility industrial products used worldwide.

This role is not in IT security, nor Operational Security. You will work with Product Engineering Teams. You will get to see your secured products manufactured then sold and placed into Operational Technology Environments.

You will assess vulnerabilities, analyze SBOM and CVE data, model threats, score risk, and support secure-by-design decisions. You will help create and refine security controls such as secure boot, trusted hardware, cryptographic protections, and secure update mechanisms. You will also assist teams during design reviews, testing, debugging, and remediation activities.

You will evaluate diagnostics, logs, test results, and firmware images to identify weaknesses or anomalies. You will have lifecycle responsibility for threat model components which will be used by Security Champions for Models. The components will use VAST, LINDDUN, IEC 62443, NIST 800-53/800-82, and Common Criteria evaluation techniques. You will lead evaluations of Threat model Dispositions. You will help ensure products meet secure software development framework (SSDF) Dev Sec Ops  processes and support operational security requirements for products which are deployed in OT environments.

This is a product security engineering role focused on embedded systems, firmware, industrial protocols, and secure architecture. It is not an IT Security, Network Security, or Operational Security role. The work directly supports downstream SOC, audit, and enterprise cybersecurity teams by ensuring products are secure from the start.

• Design, review, and improve security controls for firmware, bootloaders, trusted hardware, and cryptographic modules.
• Analyze firmware and binaries using tools such as Ghidra, IDA Pro, Binary Ninja, or similar.
• Support secure coding practices for C/C++ and embedded operating systems.

• Partner with architects and engineering leads to apply secure design principles.
• Support architecture reviews and technical discussions for products in the entire spectrum of their life cycle from cradle to grave.
• Align engineering teams with secure development frameworks such as SSDF, DSOD, and secure lifecycle processes.
• Provide applicable recommendations and rationale to help resolve security design decisions.

• You will support threat models components as part of the Secure Development Life Cycle process. Your components will use VAST, LINDDUN, IEC 62443, NIST 800-53/82, CAPEC, Emb3d, ATT&CK, OWASP and Common Criteria frameworks.
• Identify attack surfaces, trust boundaries, misuse cases, and system risks.
• Evaluate SBOM data, CVEs, CWE/CAPEC mappings, and analysis reports.
• Document risk summaries and security requirements that guide engineering.

• Reproduce reported vulnerabilities using debugging, tracing, instrumentation, or reverse engineering techniques.
• Build proof-of-concept straw men to validate solutions, estimate severity and support prioritization.
• Partner with firmware and hardware teams to design and verify mitigations.

• Contribute to secure build processes, CI/CD workflows, and automated testing.
• Support verification and validation of security controls across development, testing, and manufacturing.

• Review ICs/OT interfaces and protocols such as CIP, CAN, SPI, I2C, UART/RS-485, IO-Link, and Modbus.
• Support secure integration for industrial sensing, safety, and communication products.

• Communicate security risks, mitigations, and recommendations clearly to multiple audiences.
• Participate in secure design reviews, internal audits, and compliance activities.
• You will mentor engineers and help development the cyber competency of the security champions.

• Bachelor's degree in Computer Engineering, Computer Science, Electrical Engineering, or a related field.
• Legal authorization to work in the U.S. We will not sponsor individuals for employment visas, now or in the future, for this job opening.

• Typically requires 8+ years of experience in embedded systems, firmware development, cybersecurity, or product security.
• Proficiency in C/C++, embedded operating systems, microcontrollers, Linux, Infrastructure as Code and device drivers.
• Your experience with secure boot, TPM, cryptography, and…