Security & DevSecOps Engineer – Cyber Resilience Act (CRA) Compliance

This project is directly focused on achieving compliance with the Cyber Resilience Act (CRA), a strategic priority for the organization. The role involves designing and implementing scalable security mechanisms across a broad product portfolio, including embedded systems, ensuring regulatory compliance and long-term maintainability of solutions.

The initiative spans multiple products, legacy codebases, heterogeneous build environments, and numerous repositories, requiring pragmatic and scalable security solutions.

Key Challenges:

• Implementing security measures in existing legacy systems (non-greenfield).
• Balancing CRA regulatory compliance with engineering pragmatism.
• Delivering scalable, auditable, reusable, and maintainable solutions.

• Experienced engineer with strong technical security expertise and DevOps / DevSecOps skills.
• Proven experience working with security or product compliance regulations.
• Ability to translate legal requirements into technical implementations.
• Programming: C/C++.
• DevOps / CI/CD pipelines (GitHub, GitLab, GitHub Actions, AWS).
• Security practices: application and product security, code analysis.
• Tools: SAST, SCA, SBOM generation, Veracode, CodeSonar, CI/CD automation.
• Build environments: CMake, Make, vendor-specific solutions, integration of security tools into custom pipelines.
• Previous role in DevSecOps or similar security-focused engineering position.
• Experience with embedded systems and long-lifecycle products.
• Ability to operate at scale: multiple teams, repositories, and products.
• Strong ownership mentality with end-to-end solution delivery.

Nice to have:

• High level of independence and decision-making authority.
• Pragmatic approach balancing regulatory compliance, engineering efficiency, and scalability.
• Ability to operate in heterogeneous, legacy environments with minimal standardization.

• Design, implement, and maintain scalable security workflows across multiple products and repositories.
• Translate legal and regulatory requirements (CRA) into actionable technical solutions.
• Implement and scale DevSecOps practices, including SAST, SCA, and SBOM generation.
• Integrate security tools (e.g., Veracode, CodeSonar) into CI/CD pipelines.
• Build and maintain centralized vulnerability management systems, including vulnerability databases and waiver management.
• Ensure full traceability for audits and consistent risk management practices.
• Collaborate across multiple teams to ensure end-to-end ownership of security solutions.
• Work in complex, heterogeneous, and legacy environments with limited automation.
• Optionally contribute to AI-assisted vulnerability remediation workflows and semi-automated.