Embedded Systems Security Engineer
Listed on 2026-07-08
-
Software Development
Unix/Linux
Join Our Team as an Embedded Systems Security Engineer!
Are you passionate about pioneering security solutions for cutting-edge embedded Linux platforms? We are seeking an innovative and experienced Embedded Systems Security Engineer to lead the design and implementation of robust security architectures for next-generation devices. In this pivotal role, you'll bridge the gap between hardware security, kernel hardening, and secure user-space application containment, ensuring our products are resilient, scalable, and secure from the ground up.
If you're ready to make a tangible impact on device security at scale, we want to hear from you.
- Design and implement Hardware Root of Trust and Secure Boot architectures from the boot loader to the Linux kernel.
- Develop cryptographically verified read-only file systems using dm-verity and implement data encryption at rest.
- Build and maintain Trusted Execution Environments (TEEs) like OP-TEE, and develop secure applications.
- Enforce strict user-space isolation using SELinux, App Armor, cgroups, name spaces, and seccomp filters.
- Automate cryptographic signing pipelines within CI/CD workflows, utilizing HSMs or secure key vaults.
- Collaborate with manufacturing to develop secure device provisioning scripts and validation tools.
- Architect multi-slot boot recovery systems to enhance system resilience against OTA failures and corruption.
- Bachelor’s degree in Computer Science, Electrical Engineering, or related field (or equivalent experience).
- 6+ years of experience in Embedded Linux development, board bring-up, and BSP customization.
- 3+ years deploying device-level security features into production hardware.
- Expertise with boot loader configurations (U-Boot, Barebox) and Linux kernel security subsystems (dm-crypt, dm-verity).
- Deep understanding of ARM Trust Zone architecture (ARMv7-A / ARMv8-A).
- Proven experience with SELinux/App Armor policies and Linux containment tools (cgroups, name spaces).
- Proficiency with embedded build systems like Yocto Project or Buildroot.
- Strong programming skills in C, with scripting expertise in Python or Bash.
Skills:
- Solid foundation in cryptography, including symmetric/asymmetric algorithms, SHA-256/384, and PKI.
- Experience working with Contract Manufacturers or factory lines on secure key injection and fuse-burning protocols.
- Knowledge of embedded container runtimes (LXC, crun) and lightweight sandboxing frameworks.
- Experience designing anti-rollback protection mechanisms for OTA updates.
Education and Experience:
- Bachelor’s degree in a relevant technical discipline.
- 6+ years of hands‑on experience in embedded Linux security and development environments.
- Prior experience with manufacturing scale deployments and security protocols.
- This is an onsite role based in Foster City, CA. Must be willing to work 5 days in the office.
- No relocation is provided; local candidates preferred.
- Ability to work collaboratively with manufacturing and engineering teams.
- Must be legally authorized to work in the United States.
DeWinter Group and Maris Consulting are an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. We post pay scales which are based on our client pay ranges.
DeWinter, Maris, and our clients have the right to modify the requirements of the role which can impact the pay ranges posted.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).