Job Title: Junior to Mid Product Security Assessor Location: 100% REMOTE Contract length: 6 months to start with ongoing renewals likely Is contract-to-hire? No
Onsite schedule: 100% REMOTE
Years of experience needed: 1-3+
Top 3 skills the client needs candidates to have experience:
- Must have done some sort of Product Auditing
- Must have worked with IoT Devices
- Someone who is comfortable interfacing with Engineering and Development teams
Job Description:
The Product Security Assessor is responsible for performing structured, risk-based security assessments across Generac products and platforms, spanning backend cloud services, DevSecOps pipelines, and IoT devices. This role is assessment-focused rather than build-focused, combining deep technical understanding with strong analytical and documentation skills. The assessor evaluates architectures, implementations, and controls against established security requirements and standards, particularly IEC 62443, and provides clear, actionable remediation guidance to engineering teams. This role aligns with the offshore Product Security engagement model and supports scalable, repeatable security reviews across the portfolio.
Key Responsibilities:
1. Product Security Assessments:
- Conduct end-to-end product security assessments for cloud services, backend systems, DevSecOps pipelines, and IoT devices against defined security requirements.
- Evaluate security controls across application, infrastructure, device, and pipeline layers to identify gaps, weaknesses, and non-conformances.
- Perform assessments aligned to IEC 62443 and internal Generac product security standards.
- Clearly document assessment scope, findings, compliance status, and overall security posture.
2. Threat Modeling and Risk Analysis:
- Perform structured threat modeling for identified findings and architectural designs across cloud, device, and DevSecOps domains.
- Assess risk severity and potential impact, considering exploitability, exposure, and business context.
- Translate technical findings into clear risk statements that engineering and product teams can act upon.
3. Backend and Cloud Security Assessment:
- Assess backend cloud architectures, including containerized workloads and orchestrated environments, for secure configuration, network segmentation, identity controls, and data protection.
- Review container security practices such as image scanning, runtime protections, and least-privilege configurations.
- Evaluate cloud logging, monitoring, and incident detection capabilities to ensure adequate security observability.
4. DevSecOps and Pipeline Security Assessment:
- Assess CI and CD pipelines to ensure security controls are integrated and consistently applied.
- Review use of SAST, DAST, SCA, and infrastructure-as-code scanning within development workflows.
- Evaluate secrets management, key handling, and signing processes used in build and release pipelines.
- Identify gaps in automation, enforcement, or visibility that could introduce security risk.
5. Device and Firmware Security Assessment:
- Conduct IoT device security assessments covering hardware, firmware, and embedded software.
- Evaluate secure boot, firmware signing, credential storage, encryption, and update mechanisms.
- Assess protections against physical tampering, reverse engineering, and unauthorized firmware modification.
- Review device compliance against IEC 62443-based device security requirements.
6. Reporting and Remediation Guidance:
- Produce clear, structured assessment reports that document findings, risk ratings, and compliance gaps.
- Provide prioritized, risk-informed remediation recommendations that are practical and actionable.
- Support engineering teams by clarifying findings, answering technical questions, and validating remediation evidence.
7. Engagement Execution and Governance:
- Execute assessments in alignment with defined Product Security engagement models and timelines.
- Participate in regular checkpoints, status updates, and structured feedback sessions.
- Ensure consistency and quality across assessments through standardized templates and methodologies.
Qualifications:
- Bachelor's degree in Computer Science, Engineering, Cybersecurity, or related field.
- 2+ years of experience in product security, cloud security, DevSecOps, or IoT security roles.
- Strong understanding of backend cloud architectures, container platforms, and CI and CD pipelines.
- Working knowledge of embedded systems, firmware security, and IoT security principles.
- Hands-on experience performing threat modeling, vulnerability assessments, and security reviews.
- Familiarity with security standards and frameworks such as IEC 62443, ISO 27001, and NIST 800-53.
- Ability to produce clear, concise, and high-quality security assessment documentation.
- Certifications such as CISSP, CCSP, CSSLP, or cloud security certifications are desirable.
Compensation:
The hourly rate for this position is between $21.00-$29.00 per hour.
Factors which may affect starting pay within this range may include [geography/market, skills, education, experience and other qualifications of the successful candidate].
Benefits:
Sunrise offers ACA compliant medical coverage/dental insurance/vision insurance to all employees. We also offer Sick time benefits as required per State regulations.
Never miss an opportunity! Create an alert based on the job you applied for.
