Key skills
PythonC++CAIAWSGitHub ActionsGitHubGitLabCI/CD
About this role
Skill is seeking a senior DevSecOps engineer for direct assignment to one of their enterprise clients, a global test-and-measurement and instrumentation OEM. The role involves implementing security controls into an existing product ecosystem to achieve compliance with the EU Cyber Resilience Act ahead of the enforcement date.
Responsibilities:
- Implement and scale SAST and SCA across heterogeneous and often legacy codebases
- Generate and maintain Software Bills of Materials (SBOMs)
- Integrate security tooling into multiple build systems and CI/CD pipelines, including vendor-specific and custom toolchains
- Design scalable, reusable security workflows applicable across many repositories and product teams
- Contribute to a central vulnerability and waiver database supporting consistent risk-acceptance management, audit traceability, and long-term reporting
- Translate CRA regulatory requirements into concrete, engineering-pragmatic technical controls
- Drive end-to-end ownership of initial priorities: rapid implementation of security scanning and full visibility of current security posture
Requirements:
- US Citizen — Lawful Permanent Residents do not qualify for this role
- Demonstrable product-security or regulated-compliance background (CRA, IEC 62443, FDA, DoD, ISO 27001, or similar) with the ability to translate regulation into technical solutions
- Hands-on, production-scale experience with SAST and SCA tools (e.g., Veracode, CodeSonar)
- Practical experience generating and maintaining SBOMs
- CI/CD build and automation across GitHub, GitLab, GitHub Actions, and AWS
- Working knowledge of C and C++
- Working knowledge of Python (automation scripts, supporting tools)
- Experience integrating security into multiple build systems and toolchains (CMake, Make, vendor-specific)
- Track record scaling security workflows across portfolios with many repositories and a mix of legacy and greenfield work
- Experience designing or contributing to vulnerability, waiver, or risk-acceptance databases
- Awareness of embedded systems and long-lifecycle product constraints
- Prior exposure to semi-automated or AI-assisted vulnerability remediation workflows (as engineering support, not replacement for engineering decisions)
- Previous DevSecOps work at OEMs with broad hardware portfolios
- Familiarity with federal or highly regulated industries