Jobs · Marketing · California

Systems Security Engineer

TalentAlly · San Mateo, CA · Yesterday
MarketingContract

Platform Hardening & Architecture

  • Design and implement the Hardware Root of Trust and Secure Boot architecture from the first-stage bootloader through the Linux kernel.
  • Implement dm-verity for cryptographically verified read-only root filesystems and secure data encryption at rest.
  • Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author Secure/Trusted Applications (TAs).
  • Enforce strict user-space isolation and sandboxing strategies using SELinux, AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted applications.

Storage & Integrity Management

  • Implement dm-verity for cryptographically verified read-only root filesystems and secure data encryption at rest.

Trusted Execution Environments

  • Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author Secure/Trusted Applications (TAs).

Application Sandboxing

  • Enforce strict user-space isolation and sandboxing strategies using SELinux, AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted applications.

DevSecOps Automation

  • Build automated cryptographic signing pipelines within CI/CD infrastructure (e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs or secure key vaults.

Production Provisioning Support

  • Collaborate with manufacturing teams to write robust scripts and tools for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing end-of-line (EOL) test software to validate security features before shipping.

System Resilience

  • Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee fail-safe resilience against failed OTA updates or corrupted boots.

Qualifications

  • Education: Bachelor's degree in Computer Science, Computer Engineering, Electrical Engineering, or a related technical discipline (or equivalent practical experience).
  • Core Experience: 6+ years of professional experience in Embedded Linux development, board bring-up, and Board Support Package (BSP) customization.
  • Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features into physical production hardware.
  • Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot, Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
  • Hardware Security Architecture: Deep understanding of modern processor security architectures, specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1EL3).
  • Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and utilizing standard Linux containment tools (cgroups, namespaces).
  • Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project (BitBake recipe design) or Buildroot.
  • Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.

Preferred Qualifications

  • Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography, hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware Security Modules (HSMs).
  • Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory lines to deploy secure key-injection and fuse-burning protocols.
  • Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight sandboxing frameworks tailored for resource-constrained architectures.
  • Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback strategies for OTA updates.

Benefits

  • Creative Circle's Freelance Employee benefits package includes eligibility for Minimum Essential Coverage (MEC) medical plan, dental/vision/term life package, discount prescription program, critical illness, accident, tele-behavioral health, and 401(k) plan.
  • Sick leave is provided to Candidates whose assignment work location is in a state or city subject to sick leave laws.
  • A Minimum Value (MV) PPO medical plan, Employee Stock Purchase Plan, and paid holiday eligibility are based on length and dates of service.

Similar jobs

Systems Security Engineer

Booz Allen HamiltonAtlanta, GA· Yesterday
Information Technology$69k–$158k/yrapply on careers.boozallen.com

Systems Security Engineer

Impact Networking, LLCLake Forest, IL· 2 days ago
Information Technology$90k–$110k/yrapply on jobs.talemetry.com

Systems Security Engineer

Modern Technology Solutions, Inc. (MTSI)Wright-Patterson Air Force Base, OH· 2 wk ago
Information Technologyapply on mtsi-va.eightfold.ai

System Security Engineer

Cymertek CorporationTysons Corner, VA· 12 mo ago
Information Technologyapply on cymertek.catsone.com