Security Analyst / Product Security Engineer (Software) (m/f/d)

• Define and maintain the security architecture of the tester software platform, primarily focusing on Linux workstation software.
• Translate Cyber Resilience Act (CRA) essential cybersecurity requirements into concrete software development practices and product requirements.
• Perform threat modeling and security risk analysis for the software architecture, interfaces, and external integrations.
• Identify and analyze security vulnerabilities in the software stack (C++, Java, Linux environment).
• Establish and maintain secure development practices, including:
• secure coding guidelines
• security-focused code reviews
• use of static and dependency security analysis tools
• Monitor security advisories and vulnerability databases (e.g. CVEs) for third-party libraries, Linux components, and external dependencies used by the product.
• Investigate reported vulnerabilities or security incidents affecting the software and coordinate root cause analysis and remediation with development teams.
• Define and maintain processes for vulnerability handling and disclosure, including tracking, prioritization, and remediation.
• Support development teams in implementing security controls, such as:
• authentication and authorization mechanisms
• secure use of cryptographic functions
• protection against common software vulnerabilities
• Define requirements and concepts for secure software updates and software integrity protection.
• Contribute to security documentation required for CRA compliance, including risk assessments and security-related product documentation.
• Act as security advisor for development teams, helping them design and implement secure solutions.
• Assess security implications of executing customer-provided test programs and define safeguards such as sandboxing, permissions, or execution isolation.

Qualifications

Software Security:

• Strong understanding of secure software design and architecture
• Experience with secure development practices for large software systems
• Knowledge of common software vulnerabilities and mitigation techniques (e.g. OWASP Top 10, memory safety issues)
• Familiarity with security aspects of C++ and Java development
• Understanding of Linux operating system security concepts

Security Engineering:

• Experience with threat modeling and security risk analysis
• Familiarity with security testing techniques, such as static analysis, dependency scanning, and vulnerability analysis
• Ability to analyze vulnerability reports and determine product impact
• Experience with investigating software defects and root causes

Standards and Compliance:

• Understanding of Cyber Resilience Act (CRA) requirements for software products
• Knowledge of secure development lifecycle (SDL) practices
• Familiarity with industry security standards and guidelines (e.g. OWASP, NIST, ISO/IEC security practices)
  Collaboration
• Ability to work closely with software architects and development teams
• Ability to translate security and regulatory requirements into practical development guidelines
• Strong analytical and problem-solving skills
• Ability to communicate security risks and recommendations clearly