Software Engineer-Information Security (Open Source Compliance) IRC286485

About The Position

Requirements

• Collaboration & Stakeholder Management: Work cross-functionally with engineering teams, Legal, and senior leadership for status updates, new requirements intake, and policy alignment; engage external partners (ODMs, vendors, consultants) to meet compliance obligations.
• 7+ years in embedded software development (Linux kernel, device/firmware), plus 2+ years in a security-focused role (DevSecOps/AppSec/Compliance).
• Licensing & Policy: Deep, practical familiarity with GPL/LGPL/MPL/MIT/Apache requirements (attribution, source publication, relinking, derivative work analysis) and enforcement throughout the SDLC.
• Languages & Stacks: Strong in C, C++, C#; proficient in Python/JavaScript for automation/tooling; confident with XML/JSON/YAML for configs and SBOMs.
• Build, Packaging & Artifacts: Proficient with CMake, Clang/LLVM, cross compilers; package with Conan/Snapcraft; govern artifacts in JFrog Artifactory with risk analysis via JFrog Xray.
• CI/CD & GitOps: Hands-on with GitHub Actions / GitLab CI and GitOps practices (GitHub/GitLab) for policy as code and environment orchestration.
• Testing & Vulnerability Triage: Skilled at integrating and interpreting SAST/DAST/IAST results; practical experience with CodeQL, SonarQube, ScanCode, and SBOM tooling (SPDX/CycloneDX).
• Data & Communication: Able to build Power BI dashboards, write SQL, and translate complex technical topics into clear narratives for technical and non-technical audiences.
• Documentation & Training: Exceptional writing quality for SOPs, Working Instructions, and public distribution artifacts; experienced trainer for OSS/GRC topics.
• Collaboration: Comfortable influencing cross-functional roadmaps and mediating license/security trade-offs with engineering, Legal, and external partners.
• Bachelor's or Master's in Computer Engineering, Electrical Engineering, Computer Science, or a closely related field.

Nice To Haves

• Security certifications (e.g., CISSP, CSSLP) are a plus.

Responsibilities

• Compliance & Governance: Conduct formal risk assessments to identify threats and vulnerabilities and recommend mitigating controls. Ensure compliance with open source licenses and applicable standards (e.g., ISO 27001, ISO/IEC 5230:2020, SOC 2) in partnership with Engineering, Legal, and external stakeholders. Evaluate proposed libraries before integration (GPL/LGPL/MPL/MIT/Apache), document obligations (attribution, source offer, relinking), and guide compliant implementation patterns (static vs. dynamic link, dual license scenarios).
• Documentation, Training & Enablement: Author/update SOPs, Working Instructions, developer-facing runbooks, and public distribution READMEs. Develop and deliver open source and product-based GRC training to employees and contractors. Communicate complex build processes, package management, and license implications to technical and non-technical audiences.
• Incident Response & Continuous Improvement: Lead incident response (identify, contain, recover), conduct post-incident reviews, and recommend program and control improvements. Monitor industry trends and best practices in Open Source License Compliance; propose program updates proactively.Data & Reporting
• Publish compliance/security dashboards in Power BI; use SQL to analyze SBOM coverage, license risk, vulnerability posture, and release readiness for executive decision-making.

Benefits

• Culture of caring.
• Learning and development.
• Interesting & meaningful work.
• Balance and flexibility.
• High-trust organization.