Product Security Assurance Architect

About The Position

Requirements

• Bachelor’s, Master’s, or PhD degree in Computer Science, Electrical Engineering, Computer Engineering, Cybersecurity, or a related technical field.
• 10+ years of experience in firmware security, embedded systems security, product security, platform security, or related disciplines.
• Strong expertise in firmware and embedded security concepts, including: secure boot, roots of trust, authentication and authorization, secure communications, firmware update security, cryptographic protections, debug and manufacturing security controls, secure provisioning and lifecycle security.
• Strong understanding of attacker techniques, exploitability analysis, and adversarial thinking applied to embedded systems.
• Experience evaluating threat models, security controls, and product security effectiveness.
• Strong analytical and problem-solving skills with the ability to balance security rigor with business realities.
• Excellent written and verbal communication skills with the ability to communicate effectively with engineering teams, vendors, product leadership, and executives.

Nice To Haves

• Experience with SSD architectures, flash memory systems, storage controllers or embedded hardware platforms.
• Experience with secure development lifecycle (SDL), vulnerability management, PSIRT, or product security assurance functions.
• Familiarity with: secure coding standards, static analysis and security tooling, fuzz testing, penetration testing, security certifications and regulatory expectations (e.g., FIPS, Common Criteria, CRA).
• Experience working with external security research organizations or third-party product security assessments.
• Strong technical depth in firmware and embedded system security.
• Ability to challenge assumptions and assess security from an attacker perspective.
• Strong documentation, analytical, and technical communication skills.
• Ability to influence technical direction through collaboration and technical credibility.
• Strong judgment in balancing product risk, customer commitments, and business priorities.

Responsibilities

• Conduct independent technical security assessments of firmware-driven products, and embedded platforms to identify security gaps, attack paths, implementation weaknesses, and residual risk.
• Assess the effectiveness and completeness of implemented security controls, security mechanisms, and architecture decisions from an assurance and exploitability perspective.
• Evaluate trust boundaries, privileged operations, manufacturing pathways, debug capabilities, firmware update mechanisms, and product lifecycle transitions for potential security weaknesses.
• Evaluate the quality, completeness, and realism of product threat models and challenge assumptions through attacker-informed analysis.
• Conduct exploitability and attack surface analysis across firmware and embedded systems, including: secure boot and roots of trust, authentication and authorization controls, secure firmware update paths, manufacturing and RMA workflows, debug interfaces (UART/JTAG), provisioning and lifecycle security, cryptographic implementations and key management approaches.
• Partner with engineering teams to recommend practical, risk-informed mitigations and compensating controls.
• Advance secure development lifecycle (SDL) effectiveness across product teams by assessing security rigor, implementation quality, and evidence readiness.
• Evaluate effectiveness of product security activities including: threat modeling, secure coding practices, SAST and static analysis, SBOM and dependency management, vulnerability scanning, fuzzing and penetration testing, compiler hardening and secure build configurations, security validation evidence.
• Help establish scalable assurance methodologies and minimum expectations appropriate to product risk and business objectives.
• Partner with adversarial security engineering and product teams to evaluate realistic attack scenarios and challenge defensive assumptions.
• Assess firmware attack surfaces and identify practical attack paths against embedded systems and storage products.
• Translate security findings into durable engineering guidance and portfolio-wide lessons learned.
• Partner with PSIRT and product teams to identify recurring vulnerability patterns and systemic product security weaknesses.
• Translate security incidents, vulnerability trends, and field learnings into improvements in secure development and security assurance practices.
• Support risk assessment and remediation prioritization for significant product security issues.
• Support customer-facing technical security inquiries, security assessments, and product assurance activities.
• Provide technically grounded assessments to support customer security questionnaires, product evaluations, and audit activities.
• Strengthen product readiness for evolving security expectations, regulatory obligations, and industry cybersecurity frameworks.
• Support executive and product leadership in understanding product security posture and residual risk.
• Partner closely with: Platform Security Architects, Firmware Engineering, ASIC and hardware teams, Product Engineering, Quality and Validation, PSIRT, Product Security Assurance, External security assessment partners.
• Drive outcomes through technical influence, collaboration, and pragmatic risk-based decision making.

Benefits

• paid vacation time
• paid sick leave
• medical/dental/vision insurance
• life, accident and disability insurance
• tax-advantaged flexible spending and health savings accounts
• employee assistance program
• other voluntary benefit programs such as supplemental life and AD&D, legal plan, pet insurance, critical illness, accident and hospital indemnity
• tuition reimbursement
• transit
• the Applause Program
• employee stock purchase plan
• Sandisk's Savings 401(k) Plan
• Short-Term Incentive (STI) Plan
• Long-Term Incentive (LTI) program (restricted stock units (RSUs) or cash equivalents)