Back to search
Eagle Wireless Linkedin · Posted 13d ago

Embedded Product Security Engineer

Minneapolis

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

Eagle Wireless is a connectivity company delivering secure, reliable, and scalable cellular modules and solutions for automotive and IoT applications. With a strong presence in the United States and global R&D teams across North America, Europe, and APAC, Eagle Wireless supports customers worldwide with long-life, compliant, and cyber-secure connectivity products. Focused on trust, supply chain resilience, and regulatory compliance, Eagle Wireless helps OEMs, Tier 1 suppliers, and IoT innovators deploy connected technologies with confidence in an increasingly complex global environment.


We are looking for: Embedded Product Security Engineer


This is a hands-on technical role. You will write and run code, operate tooling in containers, generate customer-facing reports, and work directly with firmware and software engineers to remediate findings. You will also be a key contributor to our CI/CD pipeline, embedding security analysis at the build stage rather than as an afterthought.


Key responsibilities:

CVE triage and vulnerability management

  • Monitor CVE feeds and security advisories relevant to our component stacks across all product lines
  • Triage incoming CVEs against maintained SBOMs, assess exploitability, and determine applicability per product
  • Author and deliver VEX (Vulnerability Exploitability eXchange) documents to customers within required timelines
  • Maintain component inventory as products evolve through their lifecycle
  • Operate and maintain vulnerability management tooling (e.g. Dependency-Track or equivalent)


SBOM generation and maintenance

  • Generate and maintain accurate SBOMs (CycloneDX / SPDX) for all 20+ product lines
  • Integrate SBOM generation into CI/CD pipelines so artifacts are produced automatically at build time
  • Deliver SBOMs to customers in required formats (CycloneDX, SPDX) on agreed cadences
  • Track third-party component updates, license changes, and EOL status across the product portfolio


Secure CI/CD and DevSecOps integration

  • Work with platform and DevOps engineers to integrate security tooling into build pipelines
  • Deploy and maintain source code static analysis tools (e.g. Coverity, Clang Static Analyzer) and binary analysis tools (e.g. Binwalk, Finite State, Binary Ninja) — selecting the right tool for the analysis context
  • Implement and manage code signing and binary signing workflows for firmware and software releases, including key management and certificate lifecycle
  • Define and enforce security gates in the pipeline — builds that introduce new critical findings do not ship
  • Support secret scanning, dependency checking, and licence compliance tooling in CI
  • Maintain reproducible, containerised analysis environments so tooling runs consistently across dev, CI, and ad-hoc investigation contexts


Firmware and hardware security analysis

  • Perform or coordinate binary firmware analysis using tools such as Binwalk, Ghidra, Binary Ninja, and Finite State to identify vulnerabilities, hardcoded credentials, and insecure configurations
  • Conduct or support source code security review of C/C++ and embedded codebases, identifying memory safety issues, unsafe function usage, and logic flaws
  • Assess hardware debug interfaces (UART, JTAG, SWD) for exposure and insecure defaults; document findings and work with hardware engineers on mitigations
  • Evaluate boot security: secure boot, chain-of-trust, and firmware signing enforcement
  • Identify and triage vulnerabilities specific to cellular module threat models — baseband exposure, AT command surface, modem firmware, and OTA update security
  • Produce structured technical findings reports from firmware and hardware analysis, suitable for engineering remediation and customer-facing disclosure where required


Reporting and automation

  • Write Python scripts and tooling to automate vulnerability report generation for customer delivery
  • Build and maintain containerised analysis workflows that can be run reliably across different environments
  • Produce clear, accurate security reports suitable for both technical and non-technical customer contacts
  • Maintain dashboards and metrics for internal tracking of vulnerability status across the product portfolio


Customer and cross-functional support

  • Produce technical security data packages — SBOMs, VEX documents, and scan results — for customer delivery
  • Provide technical input to penetration test scoping and support findings review
  • Work with firmware and software engineers to communicate vulnerability findings clearly and track remediation
  • Ensure outputs (SBOMs, VEX documents, reports) meet the technical requirements of CRA


Required qualifications

  • 3+ years in a product security, application security, or security engineering role
  • Hands-on Python development — you write scripts and tooling, not just configure dashboards
  • Practical experience with SBOM formats (CycloneDX, SPDX) and VEX
  • Working knowledge of CVE, CVSS, and vulnerability triage methodology
  • Experience with container-based workflows — building, running, and debugging containers (Docker, Podman)
  • Familiarity with CI/CD systems (Jenkins, Bitbucket Pipelines, Gerrit, or similar) and integrating security tooling into pipelines
  • Experience with source code static analysis tools (e.g. Coverity, Clang Static Analyzer) — able to tune rules, review findings, and distinguish true positives from noise
  • Hands-on experience with binary firmware analysis tooling — Binwalk for unpacking and filesystem extraction, Ghidra or Binary Ninja for reverse engineering and disassembly
  • Practical understanding of hardware debug interfaces: UART, JTAG, and SWD — what they expose, how to assess them, and how to advise on hardening
  • Understanding of code signing, certificate management, and PKI as applied to firmware or software releases
  • Strong written communication — you will author documents that go directly to customers


Preferred qualifications

  • Experience in an embedded systems, firmware, or hardware product company — cellular, IoT, or industrial preferred
  • Familiarity with cellular module threat models: AT command attack surface, baseband firmware, SIM/eSIM security, and OTA update mechanisms
  • Experience with Finite State or similar commercial firmware security analysis platforms
  • Reverse engineering experience with Ghidra, Binary Ninja, or IDA Pro — able to navigate disassembly and identify security-relevant code paths
  • Experience testing or assessing hardware debug interfaces (UART, JTAG, SWD) in a lab setting
  • Knowledge of EU Cyber Resilience Act requirements and obligations
  • Experience with Dependency-Track, Grype, Syft, or similar open-source vulnerability management platforms
  • Exposure to OpenVEX or other machine-readable VEX formats
  • Understanding of firmware supply chain security concepts (SLSA, sigstore, reproducible builds)
  • Relevant certifications: GREM, GPEN, CSSLP, CompTIA Security+, or similar — firmware/hardware focus preferred
  • Comfortable in a lab environment — able to work with hardware, connect to debug interfaces, and run tooling on physical devices


What success looks like

30 days - Understand our product portfolio, component stacks, and current SBOM coverage. Identify the largest gaps in our CVE triage process.

90 days - Vulnerability management tooling deployed. SBOM generation automated for at least a subset of product lines. First VEX documents delivered to customers.

6 months - Security gates active in CI/CD. Binary signing integrated. All active products have maintained SBOMs. CVE triage running as a steady-state program rather than reactive firefighting.

12 months - Full product security tooling stack operational and producing consistent outputs. Customer SBOM and VEX delivery running as a steady-state automated program. Product security posture measurably improved and demonstrable through data.

Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent