Product Security Engineer

About The Position

Requirements

• 6+ years of experience in application security or a related role
• Bachelor’s in Computer Science, Cybersecurity, Information Technology, or a related field (or equivalent experience)
• Strong understanding of security protocols, cryptography, and application security frameworks (e.g., OWASP)
• Proficient in security testing tools (e.g., Burp Suite, OWASP ZAP) and methods
• Experience with programming languages such as Java, Python, or C++
• Familiarity with various operating systems and datastores
• Familiarity with Security Best Practices and frameworks (e.g. NIST, ISO27001, SOC 2)
• Experience with Cloud architectures and design patterns ( GCP experience is a plus)

Nice To Haves

• Experience in robotics, industrial systems, or safety-critical environments
• Experience supporting DoD or regulated defence customers
• Red team or offensive security background
• Experience building SDLs from scratch or maturing them significantly

Responsibilities

• Secure Development Lifecycle (SDL) Ownership
• Design, implement, and evolve Gecko’s SDL across design, build, test, deploy, and operate
• Embed security into CI/CD pipelines without slowing delivery
• Define security gates that are practical, measurable, and enforceable
• Drive remediation workflows that engineers actually complete
• Application & Code Security
• Perform hands-on secure code reviews (Python, TypeScript, Cloud Formation/TerraForm, backend services)
• Identify and remediate vulnerabilities across APIs, services, auth flows, and data access
• Build and implement secure patterns (authN/Z, secrets handling, input validation, crypto usage)
• Own and operate application security tooling (SAST, DAST, dependency and secret scanning) with a focus on signal quality and developer adoption
• Cloud & Infrastructure Security
• Secure cloud-native architectures (IAM, networking, storage, compute, CI/CD)
• Identify toxic combinations (e.g., public access + IAM misconfigurations)
• Partner with platform teams to harden baseline infrastructure
• Support container, workload identity, and service-to-service security
• Lead incident response and root cause analysis for security events
• Build and maintain automation to integrate security controls into CI/CD pipelines
• Architecture & Threat Modeling
• Lead threat modeling for new systems, features, and integrations
• Review system and data flow architectures for security risks
• Translate abstract threats into concrete mitigations
• Influence design decisions early — before code ships
• Detection, Response & Resilience
• Partner with SOC and engineering teams to lead incident response
• Support investigations, containment, and post-incident reviews
• Help turn incidents into durable architectural improvements
• Improve logging, detection, and security telemetry over time
• Compliance & Customer Trust
• Map technical controls to leading compliance frameworks (ISO 27001, SOC 2, NIST 800-53, FedRAMP, IL-4, IL-5)
• Automate audits evidence, not spreadsheets
• Ensure security controls align with real system behavior
• Enable Gecko’s expansion into regulated and mission-critical environments
• Developer Enablement
• Create practical security guidance, tooling and internal documentation to scale adoption
• Deliver targeted technical training for engineers (not generic awareness)
• Act as a trusted advisor, not a blocker

Benefits

• company equity
• 401(k) matching
• gender-neutral parental leave
• full medical, dental, and vision insurance
• mental health and wellness support
• ongoing professional development
• family planning assistance
• flexible paid time off