Product Security Engineer (Embedded & Platform Security)

As a Product Security Engineer, you will be a key member of the team responsible for ensuring the security of Qualgos embedded and platform products throughout their lifecycle. You will collaborate closely with firmware developers, system architects, DevOps, and cloud engineers to integrate security into hardware-software systems that combine embedded devices, wireless connectivity, mobile applications, and cloud services. You will lead secure architecture reviews, threat modeling, firmware assessments, and security testing across multiple layers of the platform. Your role will help ensure that embedded products and their supporting infrastructure are secure by design.

Key Responsibilities

Threat Modeling

• Conduct threat modeling sessions for embedded firmware, communication protocols, mobile apps, APIs, and backend systems.
• Identify risks such as insecure boot sequences, OTA tampering, unauthorized access to device data, and insecure remote command execution.
• Maintain and evolve threat models as new features and system components are introduced.

Security Requirements Definition

• Define security requirements related to:
• Secure boot, firmware integrity, debug interface protection.
• Encrypted communication between devices, applications, and backend systems.
• Authentication and access control for remote management.
• Translate regulatory requirements and best practices into engineering specifications and development guidance.

Security Design Reviews

• Review embedded architecture, hardware-software interaction, and system-level designs for security flaws.
• Provide guidance on:
• Key management, trust anchors, tamper resistance.
• Secure update mechanisms and identity validation across components.
• Validate cloud/edge integration models, mobile access controls, and backend APIs for compliance with internal security standards.

Code Reviews (Security Focus)

• Perform security-focused code reviews on:
• Embedded C/C++ code for bootloaders, communication stacks, drivers.
• Mobile or backend code (e.g., Python, Go, Java) where it interfaces with embedded systems.
• Identify vulnerabilities related to buffer overflows, insecure crypto, privilege escalation, or improper device configuration.

Security Testing

• Coordinate and conduct:
• Static and dynamic analysis of firmware.
• Fuzzing, interface abuse testing (e.g., UART/JTAG), and credential brute-force attempts.
• End-to-end penetration testing across embedded devices, apps, and backend.
• Collaborate with QA and external partners to ensure complete coverage of attack surfaces.

Secure Development Lifecycle (SDL)

• Integrate SDL practices into embedded and platform development workflows.
• Provide secure coding training and maintain best practice guidelines for firmware and cross-platform engineering teams.
• Ensure pre-release security assessments are performed for every major system component.

Vulnerability Management

• Manage security issues discovered through testing, research, or external reports.
• Prioritize and track fixes across firmware, platform services, and APIs.
• Coordinate secure release of patches and updates across the fleet.

Incident Response (Product Focus)

• Participate in product security incident investigations, root cause analysis, and mitigation planning.
• Document post-incident lessons and update threat models and controls as needed.

Collaboration

• Work across embedded, mobile, and cloud engineering teams to ensure consistency in security posture.
• Communicate clearly with both technical and non-technical stakeholders.
• Review third-party vendor components for security assurance.

Qualifications

Education

• Bachelors degree in Computer Engineering, Embedded Systems, Information Security, or a related field. Masters preferred.

Experience

• 5+ years in software or security engineering, with at least 2 years focused on embedded systems or cross-platform hardware/software products.
• Strong knowledge of:
• Microcontroller architectures (e.g., ARM Cortex-M/R), RTOS (FreeRTOS, Zephyr), bootloaders.
• Secure communication protocols (TLS, DTLS, MQTT, BLE), OTA security, and firmware encryption.
• Debug port security, anti-rollback protections, and secure element/HSM usage.
• Experience with platform-level systems integrating mobile apps and cloud APIs.
• Familiarity with API security, mobile app security (Android/iOS), and backend IAM controls.
• Experience with SAST/DAST tools, binary analysis, and memory protection techniques.

Skills

• Proficient in C/C++, Python, and at least one scripting language for automation.
• Strong understanding of embedded security concepts and practical implementation.
• Comfortable analyzing firmware binaries and performing reverse engineering tasks.
• Clear communication skills with ability to explain technical security issues.
• Self-driven, team-oriented, and passionate about security and reliability

Certifications (Desirable)

• Offensive Security Certified Professional (OSCP)
• GIAC GICSP or Certified Embedded Systems Security Professional (CESSP)
• CISSP or other relevant certifications

What We Offer

• Competitive salary and benefits package.
• 100% salary during probation period.
• Full social insurance contribution based on 100% of salary.
• Opportunity to secure complex and high-impact hardware/software platforms.
• Dynamic and collaborative working culture.
• Premium health insurance for you and your family.
• Annual leave: 12 days/year + 1 Birthday Leave + 1 Christmas Leave.
• Annual performance review and continuous learning opportunities.
• Access to internal and external training.
• Company trips, team-building events, and year-end party.
• MacBook and external screen provided (if needed).
• Free tea and coffee; comfortable working space.
• Working hours: 9am 6pm, Monday to Friday.

Location: The Hallmark Building - 15 Tran Bach Dang, An Khanh Ward, Thu Duc City, HCMC.