Original listing text, shown exactly as published by the company.
Responsibilities
Application Security & SDLC
- Own application security across the full software development lifecycle, ensuring security requirements are defined, validated, and enforced from design through production release.
- Conduct security architecture reviews and threat modeling for new product features, platform changes, and third-party integrations.
- Establish and maintain secure coding standards, security review gates, and developer security training programs.
- Serve as the primary security liaison for product engineering teams, translating compliance and security requirements into actionable engineering guidance.
SAST, DAST & Vulnerability Management
- Deploy, manage, and continuously improve static application security testing (SAST) and dynamic application security testing (DAST) tooling integrated into development workflows.
- Own the vulnerability management program end-to-end: discovery, triage, prioritization, remediation tracking, and reporting across product and infrastructure systems.
- Conduct and coordinate penetration testing against Northwood's products and infrastructure, including scoping, execution, findings management, and remediation validation.
- Build and maintain container security scanning, dependency analysis, and software composition analysis (SCA) pipelines.
CI/CD Security & Secrets Management
- Integrate automated security validation and policy enforcement into CI/CD pipelines, ensuring security controls do not impede engineering velocity.
- Own secrets management infrastructure, including deployment, policy configuration, access controls, and audit logging for platforms such as HashiCorp Vault.
- Implement and enforce controls for secure artifact management, signing, and supply chain integrity across build and deployment pipelines.
- Review and harden Infrastructure as Code, GitOps workflows, and deployment automation for security misconfigurations and policy violations.
Cryptography & Secure Communications
- Design and implement cryptographic controls for data at rest, data in transit, and satellite communication protocols, ensuring alignment with NIST standards and government customer requirements.
- Evaluate and advise on cryptographic library selection, key management architecture, and certificate lifecycle management.
- Identify and remediate cryptographic weaknesses across product systems, including legacy protocol usage, weak cipher configurations, and improper key handling.
Team Leadership & Cross-Functional Collaboration
- Hire and develop product security engineers as the team scales.
- Collaborate with network operations, mission management, and compliance teams to maintain a security posture that enables mission success without breaking deployment cycles.
- Build security documentation, audit evidence, and reporting standards that satisfy FedRAMP, CMMC, and NIST 800-171 requirements.
Basic Qualifications
- 5+ years in product security, application security, or a closely related security engineering discipline, with demonstrated technical leadership experience.
- Deep expertise in SAST and DAST tooling, including tool selection, integration into CI/CD pipelines, and results-driven vulnerability remediation programs.
- Hands-on experience conducting or coordinating penetration testing engagements, including scoping, execution, and remediation validation.
- Strong applied cryptography knowledge, including symmetric and asymmetric encryption, PKI, key management, and secure protocol design.
- Experience owning vulnerability management programs, including prioritization frameworks, SLA enforcement, and executive reporting.
- Proficiency with secrets management platforms such as HashiCorp Vault, including policy design and access control architecture.
- Experience securing CI/CD pipelines and GitOps workflows, including IaC security review and automated security gate implementation.
- Proficiency in one or more general-purpose programming languages (Python, Go, Rust, or equivalent).
- Familiarity with government compliance frameworks including NIST 800-171, CMMC, and FedRAMP.
- Ability to obtain and maintain a TS/SCI clearance.
- U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.
Preferred Qualifications
- Active TS clearance or higher.
- Experience with HashiCorp Vault, Terraform, and ArgoCD in production environments.
- Hands-on experience with container security scanning, admission controllers, and microservices security patterns.
- Familiarity with software supply chain security frameworks and tooling (SLSA, Sigstore, SBOM generation).
- Background in aerospace, defense, critical infrastructure, or other regulated industries.
- Experience with DFARS compliance, ITAR, and government contracting security requirements.
- Familiarity with eMASS or similar government assessment and authorization tools.
- CISSP, CSSLP, OSCP, or equivalent professional certification.
