Spire is seeking a senior technical lead to own product security strategy and execution to push toward CMMC Level 2+ compliance for CUI handling in their defense-relevant environment.
Requirements
- Mastery of container security (Docker/K8s), tools (Trivy/Snyk/Falco/OPA), languages for tooling (Python/Rust).
- Fluency in threats (injection, lateral moves), controls (800-53 mappings), DevSecOps.
- SBOMs, zero-trust, SIEM-fed logging.
- AWS sec services (GuardDuty, Security Hub, Config), IaC (Terraform).
- Embedded/satellite sec (secure boot, updates).
- Open-source sec contribs.
- Relevant certs (CSSLP/OSCP/GIAC) if reflecting real expertise.
Responsibilities
- Integrate security automation into our pipelines (e.g., GitHub Actions/ArgoCD for SAST/DAST/SCA, SBOM, vuln scanning).
- Evolve standard libraries/infra for authn/authz and logging and other run-time security concerns.
- Hands-on implementation to meet/exceed CMMC Level 2 controls (AC, IA, SC, SI families)—e.g., encryption, secure configs, monitoring—leveraging our ISO 27001 base and federal experience.
- Conduct security architecture reviews, code audits, and threat modeling.
- Identify/fix issues like API vulns or supply chain risks.
- Mentor and assign work to security engineers, advancing secure practices via code reviews, pair sessions, and tooling.
- Define the security perimeter within software architectures to establish clear trust boundaries where security requirements will be enforced across all components.
Other
- 10+ years in software/security engineering, 6+ in sec-focused roles.
- Shipped secure cloud systems (AWS), CI/CD security, and compliance projects (CMMC/FedRAMP/NIST).
- Proven mentoring, leading initiatives, influencing in small teams.
- Ability to engage with staff internally in a constructive way and represent Spire externally.
- Work a minimum of three days per week in the office.
