Key skills
Product securityRegulated complianceCyber Resilience Act (CRA)IEC 62443FDA complianceDoD complianceISO 27001Static Application Security Testing (SAST)Software Composition Analysis (SCA)Software Bill of Materials (SBOM) generationCI/CD buildautomationGitHubGitLabGitHub ActionsAWSC programmingC++ programmingPython programmingBuild systems integrationCMakeMakeSecurity workflow scalingVulnerability database designRisk acceptance managementEmbedded systemsPythonC++CAICI/CD
About this role
Skill is seeking a senior DevSecOps engineer for direct assignment to one of their enterprise clients, a global test-and-measurement and instrumentation OEM. The role involves implementing security controls into an existing product ecosystem to achieve compliance with the EU Cyber Resilience Act ahead of the 2027 enforcement date.
Responsibilities:
- Implement and scale SAST and SCA across heterogeneous and often legacy codebases
- Generate and maintain Software Bills of Materials (SBOMs)
- Integrate security tooling into multiple build systems and CI/CD pipelines, including vendor-specific and custom toolchains
- Design scalable, reusable security workflows applicable across many repositories and product teams
- Contribute to a central vulnerability and waiver database supporting consistent risk-acceptance management, audit traceability, and long-term reporting
- Translate CRA regulatory requirements into concrete, engineering-pragmatic technical controls
- Drive end-to-end ownership of initial priorities: rapid implementation of security scanning and full visibility of current security posture
Requirements:
- Demonstrable product-security or regulated-compliance background (CRA, IEC 62443, FDA, DoD, ISO 27001, or similar) with the ability to translate regulation into technical solutions
- Hands-on, production-scale experience with SAST and SCA tools (e.g., Veracode, CodeSonar)
- Practical experience generating and maintaining SBOMs
- CI/CD build and automation across GitHub, GitLab, GitHub Actions, and AWS
- Working knowledge of C and C++
- Working knowledge of Python (automation scripts, supporting tools)
- Experience integrating security into multiple build systems and toolchains (CMake, Make, vendor-specific)
- Track record scaling security workflows across portfolios with many repositories and a mix of legacy and greenfield work
- Experience designing or contributing to vulnerability, waiver, or risk-acceptance databases
- Awareness of embedded systems and long-lifecycle product constraints
- Prior exposure to semi-automated or AI-assisted vulnerability remediation workflows (as engineering support, not replacement for engineering decisions)
- Previous DevSecOps work at OEMs with broad hardware portfolios
- Familiarity with federal or highly regulated industries