Product Security Lead

Responsibilities

Application Security & SDLC

• Own application security across the full software development lifecycle, ensuring security requirements are defined, validated, and enforced from design through production release.
• Conduct security architecture reviews and threat modeling for new product features, platform changes, and third-party integrations.
• Establish and maintain secure coding standards, security review gates, and developer security training programs.
• Serve as the primary security liaison for product engineering teams, translating compliance and security requirements into actionable engineering guidance.

SAST, DAST & Vulnerability Management

• Deploy, manage, and continuously improve static application security testing (SAST) and dynamic application security testing (DAST) tooling integrated into development workflows.
• Own the vulnerability management program end-to-end: discovery, triage, prioritization, remediation tracking, and reporting across product and infrastructure systems.
• Conduct and coordinate penetration testing against Northwood's products and infrastructure, including scoping, execution, findings management, and remediation validation.
• Build and maintain container security scanning, dependency analysis, and software composition analysis (SCA) pipelines.

CI/CD Security & Secrets Management

• Integrate automated security validation and policy enforcement into CI/CD pipelines, ensuring security controls do not impede engineering velocity.
• Own secrets management infrastructure, including deployment, policy configuration, access controls, and audit logging for platforms such as HashiCorp Vault.
• Implement and enforce controls for secure artifact management, signing, and supply chain integrity across build and deployment pipelines.
• Review and harden Infrastructure as Code, GitOps workflows, and deployment automation for security misconfigurations and policy violations.

Cryptography & Secure Communications

• Design and implement cryptographic controls for data at rest, data in transit, and satellite communication protocols, ensuring alignment with NIST standards and government customer requirements.
• Evaluate and advise on cryptographic library selection, key management architecture, and certificate lifecycle management.
• Identify and remediate cryptographic weaknesses across product systems, including legacy protocol usage, weak cipher configurations, and improper key handling.

Team Leadership & Cross-Functional Collaboration

• Hire and develop product security engineers as the team scales.
• Collaborate with network operations, mission management, and compliance teams to maintain a security posture that enables mission success without breaking deployment cycles.
• Build security documentation, audit evidence, and reporting standards that satisfy FedRAMP, CMMC, and NIST 800-171 requirements.

Requirements

• 5+ years in product security, application security, or a closely related security engineering discipline, with demonstrated technical leadership experience.
• Deep expertise in SAST and DAST tooling, including tool selection, integration into CI/CD pipelines, and results-driven vulnerability remediation programs.
• Hands-on experience conducting or coordinating penetration testing engagements, including scoping, execution, and remediation validation.
• Strong applied cryptography knowledge, including symmetric and asymmetric encryption, PKI, key management, and secure protocol design.
• Experience owning vulnerability management programs, including prioritization frameworks, SLA enforcement, and executive reporting.
• Proficiency with secrets management platforms such as HashiCorp Vault, including policy design and access control architecture.
• Experience securing CI/CD pipelines and GitOps workflows, including IaC security review and automated security gate implementation.
• Proficiency in one or more general-purpose programming languages (Python, Go, Rust, or equivalent).
• Familiarity with government compliance frameworks including NIST 800-171, CMMC, and FedRAMP.
• Ability to obtain and maintain a TS/SCI clearance.
• U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

Nice-to-Haves

• Active TS clearance or higher.
• Experience with HashiCorp Vault, Terraform, and ArgoCD in production environments.
• Hands-on experience with container security scanning, admission controllers, and microservices security patterns.
• Familiarity with software supply chain security frameworks and tooling (SLSA, Sigstore, SBOM generation).
• Background in aerospace, defense, critical infrastructure, or other regulated industries.
• Experience with DFARS compliance, ITAR, and government contracting security requirements.
• Familiarity with eMASS or similar government assessment and authorization tools.
• CISSP, CSSLP, OSCP, or equivalent professional certification.