Sr Information Security Engineer (Open Source Compliance)

Job Title: Sr Information Security Engineer (Open Source Compliance)

Location: Dallas, TX - onsite (five days a week)

The ideal candidate brings at least eight years of hands-on embedded software development experience, with a proven track record of transitioning into security-focused roles. You’ll demonstrate mastery in open-source license compliance, CI/CD automation, vulnerability management, and technical communication—showcasing both self-reliance and the ability to lead initiatives from concept to production. If you’re ready to join a team that sets the standard in Security and empowers its members to excel, this is your chance to make your mark.

Skills:

·  Experience: 7+ years in embedded software development (Linux kernel, device/firmware), plus 2+ years in a security‑focused role (DevSecOps/AppSec/Compliance).

·  Licensing & Policy: Deep, practical familiarity with GPL/LGPL/MPL/MIT/Apache requirements (attribution, source publication, relinking, derivative‑work analysis) and enforcement throughout the SDLC.

·  Languages & Stacks: Strong in C, C++, C#; proficient in Python/JavaScript for automation/tooling; confident with XML/JSON/YAML for configs and SBOMs.

·  Build, Packaging & Artifacts: Proficient with CMake, Clang/LLVM, cross‑compilers; package with Conan/Snapcraft; govern artifacts in JFrog Artifactory with risk analysis via JFrog Xray.

·  CI/CD & GitOps: Hands‑on with GitHub Actions / GitLab CI and GitOps practices (GitHub/GitLab) for policy‑as‑code and environment orchestration.

·  Testing & Vulnerability Triage: Skilled at integrating and interpreting SAST/DAST/IAST results; practical experience with CodeQL, SonarQube, ScanCode, and SBOM tooling (SPDX/CycloneDX).

·  Data & Communication: Able to build Power BI dashboards, write SQL, and translate complex technical topics into clear narratives for technical and non-technical audiences.

·  Documentation & Training: Exceptional writing quality for SOPs, Working Instructions, and public distribution artifacts; experienced trainer for OSS/GRC topics.

·  Collaboration: Comfortable influencing cross‑functional roadmaps and mediating license/security trade‑offs with engineering, Legal, and external partners.

·  Education: Bachelor’s or Master’s in Computer Engineering, Electrical Engineering, Computer Science, or closely related field. Security certifications (e.g., CISSP, CSSLP) are a plus.

Responsibilities:

Engineering & Automation (Embedded + SDLC)

• Automate audits of binaries and source for license usage; run SCA and produce SBOMs (Cyclone DX/SPDX).
• Standardize reproducible build engineering with CMake and Clang/LLVM; manage dependencies via Conan and Snapcraft (where applicable).
• Govern artifacts in JFrog Artifactory with dependency health checks via JFrog Xray.
• Operationalize GitOps (GitHub/GitLab) and design CI/CD pipelines using GitHub Actions / GitLab CI.

Security Testing & Vulnerability Management

• Integrate SAST/DAST/IAST into embedded and app pipelines (C/C++/C#, Python, JavaScript, XML); enforce gates, SLAs, and remediation workflows.
• Triage third‑party vulnerabilities and assess results from CodeQL, SonarQube, and related scanners; drive fix plans across firmware and supporting services.

Open Source Candidates & Revalidation

• Create, publish, and continually revalidate Open Source Candidates (GPL/MPL and others) with reproducible build scripts, license texts, copyright notices, and end‑user instructions.
• Triage and resolve revalidation build errors (toolchain, linking, dependency, packaging), ensuring public distribution materials remain accurate.

Compliance & Governance

• Conduct formal risk assessments to identify threats and vulnerabilities and recommend mitigating controls.
• Ensure compliance with open‑source licenses and applicable standards (e.g., ISO 27001, ISO/IEC 5230:2020, SOC 2) in partnership with Engineering, Legal, and external stakeholders.
• Evaluate proposed libraries before integration (GPL/LGPL/MPL/MIT/Apache), document obligations (attribution, source offer, relinking), and guide compliant implementation patterns (static vs. dynamic link, dual‑license scenarios).

Documentation, Training & Enablement

• Author/update SOPs, Working Instructions, developer‑facing runbooks, and public distribution READMEs.
• Develop and deliver open‑source and product‑based GRC training to employees and contractors.
• Communicate complex build processes, package management, and license implications to technical and non‑technical audiences.

Incident Response & Continuous Improvement

• Lead incident response (identify, contain, recover), conduct post‑incident reviews, and recommend program and control improvements.
• Monitor industry trends and best practices in Open Source License Compliance; propose program updates proactively.

Data & Reporting

• Publish compliance/security dashboards in Power BI; use SQL to analyze SBOM coverage, license risk, vulnerability posture, and release readiness for executive decisioning.

Collaboration & Stakeholder Management

• Work cross‑functionally with engineering teams, Legal, and senior leadership for status updates, new requirements intake, and policy alignment; engage external partners (ODMs, vendors, consultants) to meet compliance obligations.

Raj Vemula

Senior Director – Global Sourcing