Embedded Product Security Engineer
Indexed description
Eagle Wireless is a connectivity company delivering secure, reliable, and scalable cellular modules and solutions for automotive and IoT applications. With a strong presence in the United States and global R&D teams across North America, Europe, and APAC, Eagle Wireless supports customers worldwide with long-life, compliant, and cyber-secure connectivity products. Focused on trust, supply chain resilience, and regulatory compliance, Eagle Wireless helps OEMs, Tier 1 suppliers, and IoT innovators deploy connected technologies with confidence in an increasingly complex global environment.
We are looking for: Embedded Product Security Engineer
This is a hands-on technical role. You will write and run code, operate tooling in containers, generate customer-facing reports, and work directly with firmware and software engineers to remediate findings. You will also be a key contributor to our CI/CD pipeline, embedding security analysis at the build stage rather than as an afterthought.
Key responsibilities:
CVE triage and vulnerability management
- Monitor CVE feeds and security advisories relevant to our component stacks across all product lines
- Triage incoming CVEs against maintained SBOMs, assess exploitability, and determine applicability per product
- Author and deliver VEX (Vulnerability Exploitability eXchange) documents to customers within required timelines
- Maintain component inventory as products evolve through their lifecycle
- Operate and maintain vulnerability management tooling (e.g. Dependency-Track or equivalent)
SBOM generation and maintenance
- Generate and maintain accurate SBOMs (CycloneDX / SPDX) for all 20+ product lines
- Integrate SBOM generation into CI/CD pipelines so artifacts are produced automatically at build time
- Deliver SBOMs to customers in required formats (CycloneDX, SPDX) on agreed cadences
- Track third-party component updates, license changes, and EOL status across the product portfolio
Secure CI/CD and DevSecOps integration
- Work with platform and DevOps engineers to integrate security tooling into build pipelines
- Deploy and maintain source code static analysis tools (e.g. Coverity, Clang Static Analyzer) and binary analysis tools (e.g. Binwalk, Finite State, Binary Ninja) — selecting the right tool for the analysis context
- Implement and manage code signing and binary signing workflows for firmware and software releases, including key management and certificate lifecycle
- Define and enforce security gates in the pipeline — builds that introduce new critical findings do not ship
- Support secret scanning, dependency checking, and licence compliance tooling in CI
- Maintain reproducible, containerised analysis environments so tooling runs consistently across dev, CI, and ad-hoc investigation contexts
Firmware and hardware security analysis
- Perform or coordinate binary firmware analysis using tools such as Binwalk, Ghidra, Binary Ninja, and Finite State to identify vulnerabilities, hardcoded credentials, and insecure configurations
- Conduct or support source code security review of C/C++ and embedded codebases, identifying memory safety issues, unsafe function usage, and logic flaws
- Assess hardware debug interfaces (UART, JTAG, SWD) for exposure and insecure defaults; document findings and work with hardware engineers on mitigations
- Evaluate boot security: secure boot, chain-of-trust, and firmware signing enforcement
- Identify and triage vulnerabilities specific to cellular module threat models — baseband exposure, AT command surface, modem firmware, and OTA update security
- Produce structured technical findings reports from firmware and hardware analysis, suitable for engineering remediation and customer-facing disclosure where required
Reporting and automation
- Write Python scripts and tooling to automate vulnerability report generation for customer delivery
- Build and maintain containerised analysis workflows that can be run reliably across different environments
- Produce clear, accurate security reports suitable for both technical and non-technical customer contacts
- Maintain dashboards and metrics for internal tracking of vulnerability status across the product portfolio
Customer and cross-functional support
- Produce technical security data packages — SBOMs, VEX documents, and scan results — for customer delivery
- Provide technical input to penetration test scoping and support findings review
- Work with firmware and software engineers to communicate vulnerability findings clearly and track remediation
- Ensure outputs (SBOMs, VEX documents, reports) meet the technical requirements of CRA
Required qualifications
- 3+ years in a product security, application security, or security engineering role
- Hands-on Python development — you write scripts and tooling, not just configure dashboards
- Practical experience with SBOM formats (CycloneDX, SPDX) and VEX
- Working knowledge of CVE, CVSS, and vulnerability triage methodology
- Experience with container-based workflows — building, running, and debugging containers (Docker, Podman)
- Familiarity with CI/CD systems (Jenkins, Bitbucket Pipelines, Gerrit, or similar) and integrating security tooling into pipelines
- Experience with source code static analysis tools (e.g. Coverity, Clang Static Analyzer) — able to tune rules, review findings, and distinguish true positives from noise
- Hands-on experience with binary firmware analysis tooling — Binwalk for unpacking and filesystem extraction, Ghidra or Binary Ninja for reverse engineering and disassembly
- Practical understanding of hardware debug interfaces: UART, JTAG, and SWD — what they expose, how to assess them, and how to advise on hardening
- Understanding of code signing, certificate management, and PKI as applied to firmware or software releases
- Strong written communication — you will author documents that go directly to customers
Preferred qualifications
- Experience in an embedded systems, firmware, or hardware product company — cellular, IoT, or industrial preferred
- Familiarity with cellular module threat models: AT command attack surface, baseband firmware, SIM/eSIM security, and OTA update mechanisms
- Experience with Finite State or similar commercial firmware security analysis platforms
- Reverse engineering experience with Ghidra, Binary Ninja, or IDA Pro — able to navigate disassembly and identify security-relevant code paths
- Experience testing or assessing hardware debug interfaces (UART, JTAG, SWD) in a lab setting
- Knowledge of EU Cyber Resilience Act requirements and obligations
- Experience with Dependency-Track, Grype, Syft, or similar open-source vulnerability management platforms
- Exposure to OpenVEX or other machine-readable VEX formats
- Understanding of firmware supply chain security concepts (SLSA, sigstore, reproducible builds)
- Relevant certifications: GREM, GPEN, CSSLP, CompTIA Security+, or similar — firmware/hardware focus preferred
- Comfortable in a lab environment — able to work with hardware, connect to debug interfaces, and run tooling on physical devices
What success looks like
30 days - Understand our product portfolio, component stacks, and current SBOM coverage. Identify the largest gaps in our CVE triage process.
90 days - Vulnerability management tooling deployed. SBOM generation automated for at least a subset of product lines. First VEX documents delivered to customers.
6 months - Security gates active in CI/CD. Binary signing integrated. All active products have maintained SBOMs. CVE triage running as a steady-state program rather than reactive firefighting.
12 months - Full product security tooling stack operational and producing consistent outputs. Customer SBOM and VEX delivery running as a steady-state automated program. Product security posture measurably improved and demonstrable through data.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search