DevSecOps Engineer

We are seeking a senior DevSecOps engineer for direct assignment to one of our enterprise clients - a global test-and-measurement and instrumentation OEM with a broad portfolio of embedded and long-lifecycle products. The engagement supports the client's initiative to achieve compliance with the EU Cyber Resilience Act (CRA) ahead of the December 2027 enforcement date. This requisition is for the US Citizen seat on a three-person engineering team. The selected candidate will be the team's designated US-based resource and must be a
US Citizen - Lawful Permanent Residents do not qualify for this role.

Scope & Environment

The work introduces security controls into an existing and diverse product ecosystem rather than building greenfield solutions. Expect:

• A broad portfolio of products across embedded systems and long-lifecycle device lines
• A large number of repositories, including legacy codebases predating modern DevSecOps/CI/CD practices
• High heterogeneity: multiple build systems, toolchains, and packaging processes - standard, custom, and vendor-specific
• Continuous balancing of regulatory compliance (CRA), engineering pragmatism, and portfolio-wide scalability
• Solutions must be long-term maintainable, auditable, and reusable across teams

What the Engineer Will Do

• Implement and scale SAST and SCA across heterogeneous and often legacy codebases
• Generate and maintain Software Bills of Materials (SBOMs)
• Integrate security tooling into multiple build systems and CI/CD pipelines, including vendor-specific and custom toolchains
• Design scalable, reusable security workflows applicable across many repositories and product teams
• Contribute to a central vulnerability and waiver database supporting consistent risk-acceptance management, audit traceability, and long-term reporting
• Translate CRA regulatory requirements into concrete, engineering-pragmatic technical controls
• Drive end-to-end ownership of initial priorities: rapid implementation of security scanning and full visibility of current security posture

Required Experience

• Demonstrable product-security or regulated-compliance background (CRA, IEC 62443, FDA, DoD, ISO 27001, or similar) with the ability to translate regulation into technical solutions
• Hands-on, production-scale experience with SAST and SCA tools (e.g., Veracode, CodeSonar)
• Practical experience generating and maintaining SBOMs
• CI/CD build and automation across GitHub, GitLab, GitHub Actions, and AWS
• Working knowledge of C and C
• Working knowledge of Python (automation scripts, supporting tools)
• Experience integrating security into multiple build systems and toolchains (CMake, Make, vendor-specific)
• Track record scaling security workflows across portfolios with many repositories and a mix of legacy and greenfield work
• Experience designing or contributing to vulnerability, waiver, or risk-acceptance databases
• Awareness of embedded systems and long-lifecycle product constraints

Preferred (Nice-to-Have)

• Prior exposure to semi-automated or AI-assisted vulnerability remediation workflows (as engineering support, not replacement for engineering decisions)
• Previous DevSecOps work at OEMs with broad hardware portfolios
• Familiarity with federal or highly regulated industries

#LI-BS1