Fellow Product Security Engineer
Apply on
Job Description
We are CARIAD, an automotive software development team with the Volkswagen Group. Our mission is to make the automotive experience safer, more sustainable, more comfortable, more digital, and more fun. To achieve that we are building the leading tech stack for the automotive industry and creating a unified software platform for over 10 million new vehicles per year. We re looking for talented, digital minds like you to help us create code that moves the world. Together with you, we ll build outstanding digital experiences and products for all Volkswagen Group brands that will transform mobility. Join us as we shape the future of the car and everyone around it.
Role Summary:
The Fellow Product Security Engineer acts as the technical lead for the Product Security team in the US. They will provide guidance for the architecture, design, and implementations of security primitives. They will also propose technical solutions and actively participate in their coding and integration. Acting as the lead for security projects in the US, they will perform and coordinate with the engineering and product teams security code reviews and threat/risk analysis of implementations (software, firmware) that can impact the security of the whole system. They will constantly challenge the status quo and perform security reviews a variety of settings: ad-hoc security evaluation, external PenTesting, Offensive security projects in coordination with the brands. Autonomy and a great sense of creativity are expected for the Fellow role.
Role Responsibilities:
Lead (Architecture, Design, Code) Product Security Projects in the US
- Drive Security Architecture and Design discussions for SDV projects in the US
- Lead development (coding) with US team members.
- Coordinate with development and testing/validation resources in Germany.
- Drive integration of security primitives, protocols, and libraries with the SDV teams
Perform Security Code Review of sensitive (security/privacy related) implementations
- Implement the process for Security Code Review in collaboration with the Principal Engineer, Compliance and Systems and the leaders of SDV teams.
- Help scaling the security code review (automation, leveraging other teams, processes, etc.) to provide actionable guidance to the engineering and product teams.
- Expand the program to 3rd party integration and products validation (e.g. binary analysis)
Perform Threat Assessment and Risk Analysis at the Component and System Level
- Propose a light version of TARA to quickly identify potential threats at the component level, and assess the risk to decide on the next course of action (Full TARA, PenTesting, Patch or Fix, etc.)
- Collaborate with Offensive Security to build tools to expand our investigation capabilities.
- Review with engineering teams the top 10 issue and drive resolution with the support of our Principal Engineer, Compliance and Systems
Challenge other teams and perform PenTesting / Offensive Security experiments
- Perform ad-hoc offensive security experiments to identify potential threats and verify that our SDLC is correctly implemented.
- Build/Write/Action exploits on a variety of systems to challenge the engineering teams and demo existing risks.
- Coordinate with Offensive Security teams regular (twice a year) Hackathon to foster creativity and collaboration between teams to identify vulnerabilities.
General Skills:
- Ability to collaborate with engineering and product organizations.
- Effective written and oral communication skills.
- Collaborate and work with multiple teams across geographies and time zones.
Required Specialized Skills:
- Experience with designing and implementing security in connected systems.
- Ability to perform code reviews for embedded and back-end/infrastructure software to identify potential security issues and vulnerabilities.
- Ability to assess threats and analyze risks, propose fixes/mitigations, and drive those efforts.
- Hands-on experience with PenTesting and/or Offensive Security projects (in short breaking things vs just building things)
- Security Code Review
- Security Architecture
- Coding (C/C++, Go, Rust, Python, Kotlin, Java no need to be an expert for all languages but very solid in 2 languages at least)
- System Architecture
- Cryptography Concepts (Encryption, Authentication, Hashing, Non-Repudiation)
- Embedded Security
- Code Hardening
- Access Control and Authorization Frameworks
Desired Skills:
- Building, writing exploits.
- Security Testing and Validation
Workplace Flexibility:
- Calls, (virtual) meetings & workshops (overlapping with German business hours as needed) to align with stakeholders and development teams in Germany.
- Occasional international and domestic travel to provide on-site support and planning/integration workshops with our internal and external stakeholders.
- Hybrid mode preferred, could consider a fully remote candidate if exceptional.
Years of Relevant Experience:
- 20+ years experience in software engineering with a focus on security and/or privacy
Required Education:
- Bachelor s Degree (Computer Science or Electrical Engineering)
Desired Education:
- Master s Degree (Computer Science or Electrical Engineering)
Compensation
Salary range is dependent on factors such as geographical differentials, credentials or certifications, industry-based experience, qualification and training. In the city of Mountain View, California, the salary range for this position is $237,100 - 320,900.
CARIAD, Inc. provides performance based merits and annual bonus along with a competitive benefits package. Benefits include medical, dental, vision, 401k with employer match and defined contribution plan, short and long term disability, basic life and AD&D insurance, employee assistance program, tuition reimbursement and student loan repayment plans, maternity and non-primary caregiver leave, adoption assistance, employee referral program and vacation and paid holidays. We also offer a unique vehicle lease program that covers registration and insurance fees.
CARIAD is an Equal Opportunity Employer. We welcome and encourage applicants from all backgrounds, and do not discriminate based on race, sex, age, disability, sexual orientation, national origin, religion, color, gender identity/expression, marital status, veteran status, or any other characteristics protected by applicable laws.
#LI-VM1