SPECTRAFORCERemote
Sr. SBOM Software Engineer
United States of America
Full Time
2 weeks ago
$53 USD
H1B Sponsor Likely
Key skills
PythonSoftware Supply Chain SecuritySBOM standardsSPDXCycloneDXVulnerability data formatsCSAFVEXOSVRelational databasesPostgreSQLCI/CD pipelinesTektonGitHub ActionsGitLab CISecurity scanning toolsContainer ecosystemKubernetesRed Hat OpenShiftPodmanOpenShiftGitHubGitLabCI/CDCommunication
About this role
SPECTRAFOR is seeking a Senior Software Engineer to join their Product Security team. This role involves developing tooling and infrastructure for generating Software Bill of Materials (SBOMs) for open-source projects and ensuring compliance with the EU Cyber Resilience Act. The engineer will collaborate with various teams to improve security processes and vulnerability detection in open-source components.
Responsibilities:
- Design and develop automated tooling to generate and maintain Software Bill of Materials (SBOMs) for upstream open-source projects in standardized machine-readable formats (e.g., SPDX, CycloneDX)
- Integrate SBOM generation into community Continuous Integration (CI) systems to ensure real-time tracking of top-level and transitive dependencies, including the generation of unique component identifiers (CPE, PURL)
- Build 'Early Warning' workflows by connecting community SBOMs with client's Product Security Incident Response Team (PSIRT) tooling, enabling the automatic mapping of new vulnerabilities (CVEs) to impacted upstream projects
- Implement machine-readable advisory generation (CSAF VEX) for community projects to support transparency and automated vulnerability handling requirements
- Continuously improve tooling to reduce the average time to patch critical vulnerabilities in stewarded open-source components
Requirements:
- Advanced (5+ years) knowledge of Python programming language and their ecosystems
- Deep understanding of Software Supply Chain Security concepts, including SBOM standards (SPDX, CycloneDX) and vulnerability data formats (CSAF,VEX, OSV)
- Intermediate (3+ years) experience with relational databases (e.g., PostgreSQL) for managing vulnerability and component metadata
- Experience with CI/CD pipelines (e.g., Tekton, GitHub Actions, GitLab CI) and integrating security scanning tools into build processes
- Interest in the container ecosystem (Kubernetes, Red Hat OpenShift, Podman)
- Good written and verbal communication skills in English, with a strong ability to collaborate in open-source communities