Product & Application Security Manager

The Position:
Seeking a Product & Application Security Manager to build and scale our secure development, product assurance, and software supply-chain security capabilities. This role is essential to ensuring firmware, applications, and supporting platforms are designed, tested, and delivered with security embedded throughout their lifecycle.

You will lead application and firmware security, software assurance, offensive testing, secure development practices, and supplier risk management. The ideal candidate pairs deep technical expertise with the leadership needed to influence engineers, developers, and partners toward strong, future-ready security standards.

This role is for someone who thrives in complex environments, enjoys solving difficult security challenges, and is motivated by building programs that scale.

Key Responsibilities

Secure Development & DevSecOps
Integrate modern security controls and hardening into every phase of the development lifecycle across applications, firmware, hardware and cloud-connected platforms.
Establish secure coding standards, automated testing requirements, and continuous security validation across CI/CD pipelines, embedded firmware, and hardware.
Lead security design reviews, threat modeling, architecture assessments, and code-level analysis.
Partner with engineering to ensure new features and updates are built securely and consistently.

Offensive Security & Product Assurance
Oversee internal and external penetration testing and teardowns for products, applications, firmware, and supporting components.
Lead product vulnerability identification, triage, remediation, and customer-facing security assurance activities.
Validate security controls through adversarial simulations, red/purple team exercises, and product-level security testing.
Manage product vulnerability disclosure processes in coordination with legal and compliance.

Software & Hardware Supply Chain Security
Lead supplier and third-party security evaluations across hardware, firmware, software, and cloud services.
Own SBOM/HBOM programs, ensuring material transparency, integrity, and continuous monitoring of third-party components.
Define and enforce security requirements within vendor onboarding, procurement, and contract processes.
Track emerging vulnerabilities in dependencies and coordinate timely mitigation efforts across engineering teams.

Collaboration & Engagement
Partner with the Information Security Manager to align product security with enterprise risk, governance, and compliance frameworks (ISO 27001, SOC 2, NIST, SLSA, NERC CIP, OWASP, SANS. Etc..).
Collaborate with R&D, engineering, and IT/OT teams to embed product security into roadmaps, design decisions, and operational practices.
Support customer, partner, and regulatory engagements as the subject-matter expert for product and supply-chain security.
Build strong relationships across global and cross-regional engineering teams, navigating time zones and cultural differences effectively.

Requirements
10-12+ years of experience in product security, application security, embedded/firmware security, or DevSecOps.
Strong knowledge of secure coding, application security testing, firmware/embedded security fundamentals, and offensive testing methodologies.
Experience building or leading secure development programs or product assurance functions.
Practical experience with SBOMs, dependency management, software supply-chain security, and disclosure processes.
Familiarity with global security standards and regulations relevant to product and critical infrastructure environments.
Excellent communication skills and the ability to influence engineers, technical leaders, executives, customers, and suppliers.

Preferred
Bachelor s or Master s degree in Computer Science, Cybersecurity, Electrical/Computer Engineering, or related field.
Professional certifications such as CSSLP, OSWE, GICSP, or similar.
Experience with SBOM/HBOM lifecycle management, coordinated vulnerability disclosure, and modern DevSecOps ecosystems.
Background in energy, renewables, industrial control systems, or other critical infrastructure sectors.
Veterans are strongly encouraged to apply

Competencies
Strategic thinker: Connects product security to customer trust, business value, and long-term resilience.
Technical authority: Deep expertise in application security, offensive testing, firmware fundamentals, and secure development.
Supply chain awareness: Understands the risks and complexities of modern software and hardware ecosystems.
Collaborative leader: Effective at partnering across engineering, compliance, procurement, and operational teams.
Pragmatic problem-solver: Delivers scalable, realistic solutions without impairing innovation or delivery velocity.
Global partner: Comfortable collaborating with distributed engineering teams and working across time zones.