Platform Security Engineer

About The Position

Requirements

• Bachelor's or master's degree in computer science, Computer Engineering, or a related field.
• 5+ years hands-on experience in application security engineering, product security, or a closely related security engineering role.
• Deep experience with embedded Linux systems (Yocto/BitBake, systemd, OverlayFS, device bring-up).
• Strong proficiency in Linux OS hardening: service minimization, Ubuntu security patching (ESM), CVE management, and secure boot.
• Experience securing CI/CD pipelines (Jenkins, GitLab CI) including artifact signing, secret scanning, and build isolation.
• Proficiency with container technologies, primarily Docker.
• Solid understanding of cryptography fundamentals: RSA, TLS, symmetric encryption, PKI, key management best practices.
• Familiarity with government cloud security frameworks: FedRAMP, NIST 800-171, CMMC Level 2/3, or DoD IL2/IL4.
• Experience with vulnerability management tooling: Nessus, OpenVAS, nmap, or equivalent.
• Strong proficiency in scripting (Bash, Python) for security automation and tooling.
• Strong written communication skills for producing compliance documentation and security assessments.
• Proficiency with secrets management platforms (HashiCorp Vault, AWS Secrets Manager, SOPS).

Nice To Haves

• Active DoD security clearance or eligibility preferred.
• Background in drone, robotics, or aviation ssystems security.edge of radio communications security and RF licensing compliance.
• Relevant certifications: CISSP, OSCP, CSSLP, GREM, or equivalent.
• Experience with Qualcomm SoC platforms (QRB5165 or similar) and Android Debug Bridge (ADB) workflows.

Responsibilities

• Embedded Linux Platform & Firmware Security Design, implement and enforce hardening standards for Ubuntu-based embedded Linux firmware running on Qualcomm QRB5165/8550 and similar SoC platforms.
• Own the process and conduct hands-on activities of auditing, patching, and validating OS-level security updates (e.g., Ubuntu ESM, CVE triage) for offline-deployable drone firmware images.
• Identify and eliminate unnecessary services and open from production firmware builds to reduce attack surface during compliance assessments.
• Develop, author and maintain BitBake/Yocto security recipes and patches for Qualcomm BSP layers, ensuring build-time application of security hardening.
• Software Build Pipeline Security Secure CI/CD pipelines, including build isolation, artifact integrity, and protection against race conditions and cross-job artifact contamination.
• Enforce code signing, reproducible builds, and chain-of-custody controls for firmware artifacts distributed via internal Apache/S3 infrastructure.
• Implement and audit role-based access controls across SCM and build systems.
• Define and enforce branch protection policies, merge request security gates, and automated SAST/SCA scanning in CI pipelines.
• Secrets Management & Cryptography Lead, design and implement a secrets management strategy across build servers, embedded devices, and cloud infrastructure (e.g., HashiCorp Vault, AWS Secrets Manager).
• Govern cryptographic key lifecycle: RSA key generation, rotation, storage, and revocation for firmware signing, device authentication, and secure comms.
• Eliminate hardcoded credentials and insecure secret injection patterns across build scripts, Dockerfiles, and configuration files.
• Implement challenge-response and hardware-rooted authentication mechanisms for embedded device access control.
• Government Cloud & Compliance Security Guide and build architecture and security controls for GovCloud (AWS GovCloud, Azure Government) deployments, ensuring alignment with FedRAMP, NIST SP 800-171, CMMC, and DoD IL requirements.
• Hands-on respond to Nessus/vulnerability scanner findings (e.g., open port documentation, service inventory) from internal security assessments and Blue List evaluations.
• Maintain security documentation including system security plans (SSPs), POA&Ms, and network/service inventories for auditable compliance records.
• Coordinate with assessors and program security officers during formal security reviews of drone systems and supporting infrastructure.
• Network & Device Security Conduct and review network security assessments of drone fleet infrastructure, including nmap/Nessus scanning, open port auditing, and firewall rule management.
• Establish secure remote access patterns for embedded devices (ADB, SSH hardening, udev-based controls) and enforce least-privilege access models.
• Oversee radio frequency and communications security for drone platforms, including secure licensing and MAC-based authentication workflows for radio hardware.
• Monitor and respond to security events across fleet management infrastructure using Prometheus/Grafana or similar alerting pipelines.
• Security Program Leadership Define and maintain the organization’s platform security roadmap, policies, and standards across hardware, firmware, software, and cloud layers.
• Champion a security-first engineering culture through training, threat modeling workshops, and design reviews.
• Manage third-party security vendors, penetration testers, and compliance consultants.
• Track and report on security KPIs and vulnerability SLA compliance to engineering leadership.

Benefits

• Salary plus generous annual equity package and potential bonuses.