Product Security Engineer

Spire•Boulder, CO

29d•Hybrid

About The Position

You'll focus on hands-on design and implementation of security related software, to shift security left in our development processes. This includes embedding automated controls such as SBOMs and vulnerability scanning into CI/CD pipelines; maintaining and updating our internal shared libraries and infrastructure for authentication, authorization, and logging; and assisting with monitoring tools for operational services. Where needed, you'll help align systems with NIST 800-171/CMMC requirements, collaborating closely with the Principal Security Engineer, AWS infra team, dev tooling team, chief software engineer, and cybersecurity/GRC group. You'll work in a lean, impact-focused environment-prioritizing deliverables like secure code and architecture with bureaucracy handled by the TPM/GRC org as much as possible. Occasional engagement in security discussions with government entities may be involved, under the principal security engineer's guidance. ~80-90% hands-on work, with the remainder on collaboration and learning.

Requirements

Experience: 5+ years in software or security engineering, with at least 3+ years in security-focused roles. Experience with secure cloud systems (AWS), CI/CD security, and compliance efforts (e.g., NIST, CMMC, or FedRAMP).
Technical Expertise: Proficiency in container security (Docker/Kubernetes), security tools (e.g., Trivy, Snyk, Falco, OPA), and programming languages for tooling (Python, Rust). Understanding of modern attacks and defenses.
Security Acumen: Knowledge of common threats (e.g., injection, lateral movement), controls (NIST 800-53 mappings), DevSecOps practices, SBOMs, zero-trust principles, and SIEM-integrated logging.
Interpersonal Skills: Ability to collaborate constructively with internal teams and contribute to external security discussions as needed.

Nice To Haves

Familiarity with AWS security services (e.g., GuardDuty, Security Hub, Config) and IaC tools (Terraform).
Experience with embedded or satellite security (e.g., secure boot, over-the-air updates).
Contributions to open-source security projects.
Relevant certifications (e.g., CSSLP, OSCP, GIAC) demonstrating practical expertise.
Proven ability to work in small, agile teams and learn from senior mentors.

Responsibilities

Implement Security Controls in SDLC: Assist in integrating security automation into pipelines (e.g., GitHub Actions/ArgoCD for SAST/DAST/SCA, SBOM generation, and vulnerability scanning).
Support Shared Libraries and Infra: Contribute to evolving standard libraries/infra for authn/authz, logging, and other runtime security features, including testing and updates.
Contribute to CMMC Compliance: Hands-on support for implementing controls (e.g., encryption, secure configurations, monitoring) to meet/exceed CMMC Level 2 requirements in AC, IA, SC, and SI families, building on our ISO 27001 foundation.
Assist with Reviews and Models: Participate in security architecture reviews, code audits, and threat modeling; help identify and remediate issues like API vulnerabilities or supply chain risks.
Team Collaboration: Engage in code reviews, pair programming sessions, and tooling development to advance secure practices; provide peer support within the security engineering team.

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume