Product Security Engineer

About the position

1. Job Summary and Overview At our organization, we believe that security is the bedrock of innovation. Our mission is to provide world-class digital services that empower our users while maintaining the highest standards of digital trust and data integrity. We foster a culture of technical excellence, where engineers are encouraged to be proactive, inquisitive, and dedicated to the craft of building resilient systems. As we continue to expand our footprint in the tech ecosystem, we are looking for a specialist who shares our passion for open-source technology and robust security architectures. 1.1 Position Specifications Category Details Position Title Product Security Engineer (RHEL Specialist) Location Remote Experience Level Senior (Minimum 5+ Years Professional Experience) Language Requirements Portuguese and English Employment Type Permanent / Full-Time 1.2 Role Summary The Product Security Engineer (RHEL Specialist) is a critical technical position focused on the intersection of infrastructure stability and proactive security posture. The core purpose of this role is to embed automated security controls, hardening standards, and DevSecOps best practices throughout the entire product lifecycle, with a specialized focus on the Red Hat Enterprise Linux (RHEL) ecosystem. You will be the primary architect of security automation, ensuring that our RHEL-based infrastructure is resilient against modern threats while maintaining high availability and operational efficiency. Role Mission: To transform traditional security "gates" into automated security "guardrails" within our Linux environment. You will be tasked with identifying system inefficiencies, automating vulnerability remediation, and ensuring that security is a seamless component of our CI/CD pipelines and virtualization stacks. The ideal candidate is not just a security enthusiast but a seasoned Linux practitioner who understands the nuances of system internals. You will move beyond manual checklists, leveraging Ansible for configuration management and Python/Bash for custom security tooling. Whether managing workloads on-premise through VMware/KVM or across AWS, Azure, or GCP , your objective remains consistent: to provide a secure, standardized, and self-healing platform that serves as the backbone for our product offerings. 1.3 Core Objectives and Expectations Infrastructure Hardening: Design and enforce automated RHEL hardening standards across all environments using CIS benchmarks or similar frameworks. Security Automation: Implement "Security as Code" principles to reduce manual toil and human error in security configurations. Proactive System Optimization: Actively hunt for system inefficiencies and performance bottlenecks, providing automated resolutions before they impact product delivery. Cloud and Container Security: Secure our transition to cloud-native architectures by ensuring Docker and Kubernetes environments meet enterprise security requirements. Continuous Integration: Integrate security scanning and compliance auditing directly into our Jenkins and GitLab CI pipelines. As a senior member of the technical staff, you will be expected to work with a high degree of autonomy, collaborating with both DevOps and Software Development teams to foster a culture of shared responsibility for security outcomes. 2. Key Responsibilities The Product Security Engineer (RHEL Specialist) is tasked with safeguarding the integrity, availability, and confidentiality of our product ecosystem. This role functions at the critical intersection of system engineering and cybersecurity, requiring a hands-on approach to building resilient infrastructure. The incumbent is expected to move beyond reactive security measures, instead architecting automated, self-healing systems that adhere to global security standards. 2.1 Security Automation & Hardening The primary accountability in this area is the conversion of complex security requirements into executable, version-controlled code. This ensures a consistent security posture across all environments, from development to production. Ansible Orchestration: Design, develop, and maintain a library of Ansible playbooks and roles specifically focused on Red Hat Enterprise Linux (RHEL) security compliance (e.g., CIS Benchmarks, STIGs). Automated Patch Management: Implement and manage automated patching lifecycles for RHEL systems to ensure timely remediation of Critical and High-severity vulnerabilities with minimal service disruption. Configuration as Code: Enforce system state consistency by automating the deployment of security configurations, including SELinux policies, SSH hardening, and kernel parameter tuning (sysctl). Identity & Access Management (IAM): Automate the provisioning and auditing of privileged access, ensuring the Principle of Least Privilege is enforced across all Linux-based product components. Compliance Drift Detection: Develop automated monitoring solutions to detect and remediate configuration drift from established security baselines in real-time. 2.2 Secure CI/CD Pipeline Integration This role serves as a key architect in our DevSecOps transformation, ensuring that security is not a final checkpoint but a continuous process embedded within our software delivery pipelines. Security Tooling Integration: Embed and configure Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) tools within Jenkins and GitLab CI pipelines. Automated Gatekeeping: Define and implement "fail-build" criteria based on security risk thresholds to prevent vulnerable code or insecure configurations from reaching production. Secrets Management: Architect and maintain secure workflows for managing API keys, certificates, and credentials within the CI/CD environment using HashiCorp Vault or native cloud secrets managers. Pipeline Auditing: Maintain comprehensive logging and auditing of pipeline activities to ensure the integrity of the build and deployment process. Developer Collaboration: Work closely with software engineering teams to interpret security scan results and provide actionable, automated remediation guidance. Proactive Efficiency Focus: Beyond standard security tasks, the Engineer must actively identify operational inefficiencies—such as slow build times due to security scans or excessive manual intervention in configuration—and engineer automated solutions to streamline these processes without compromising the security posture. 2.3 Cloud & Container Security As we leverage hybrid and multi-cloud architectures, the Product Security Engineer is responsible for the security of our virtualized and containerized workloads. Cloud Governance: Implement and automate security best practices for public cloud platforms (AWS, Azure, or GCP), focusing on VPC security, IAM roles, and encrypted storage. Kubernetes Hardening: Design and maintain security policies for Kubernetes clusters, including Network Policies, Pod Security Admissions, and RBAC configurations. Container Image Security: Establish automated container image scanning and signing processes to ensure only trusted and verified images are deployed via Docker. Runtime Protection: Implement monitoring and protection tools for containerized environments to detect and respond to anomalous behavior or runtime threats. Virtualization Security: Ensure the underlying virtualization layer (KVM, VMware) is secured and isolated according to industry best practices. 2.4 Vulnerability Management & Threat Modeling The Engineer must act as a proactive "hunter," identifying weaknesses before they can be exploited and designing systems that are inherently resilient. Threat Modeling: Lead threat modeling exercises (e.g., STRIDE or PASTA) for new product features and infrastructure changes to identify potential attack vectors early in the design phase. Vulnerability Assessment: Perform regular automated vulnerability scans of the RHEL infrastructure and cloud resources, prioritizing findings based on business impact and exploitability. Automated Remediation: Develop "auto-remediation" workflows using Python or Ansible to fix common vulnerabilities and misconfigurations without manual intervention. Incident Response Support: Provide technical expertise and forensic support to the Incident Response team during security events, particularly those involving Linux systems or cloud infrastructure. Security Research: Stay abreast of emerging threats, zero-day vulnerabilities, and new RHEL security features to proactively adapt our security architecture. Accountability Metric Expected Outcome Compliance Coverage 95%+ of RHEL fleet adhering to automated security baselines. Mean Time to Remediate (MTTR) Reduction in remediation time for critical patches through automated deployment. Pipeline Security 100% of production builds subjected to automated security gating. 3. Required Technical Skills & Qualifications To be successful in the role of Product Security Engineer (RHEL Specialist), candidates must demonstrate a profound technical foundation in Linux systems engineering and a modern, automation-first approach to cybersecurity. We require a professional who has moved beyond basic administration into the realm of infrastructure-as-code and proactive threat mitigation. Mandatory Experience: A minimum of five (5) years of demonstrable professional experience in Systems Engineering, DevSecOps, or Product Security roles is required. Candidates must have spent a significant portion of this time managing enterprise-scale Red Hat Enterprise Linux environments. 3.1 Red Hat Enterprise Linux (RHEL) Mastery As the core focus of this role, we require "expert-level" knowledge of the RHEL ecosystem (versions 7, 8, and 9). This includes: Advanced Administration: Deep understanding of system internals, kernel tuning, LVM/storage management, and performance troubleshooting. Security Hardening: Proven ability to implement and manage SELinux policies (writing custom modules and troubleshooting denials) and system auditing (auditd). Identity & Lifecycle: Experience with Red Hat Satellite or Foreman for lifecycle management, content views, and automated errata/patching workflows. Compliance Frameworks: Implementation of OpenSCAP and automated compliance scanning against CIS Benchmarks or STIG requirements. 3.2 Automation, Orchestration & Scripting The candidate must be able to treat infrastructure as a software project, leveraging code to eliminate manual toil and configuration drift. Ansible: Expert-level proficiency in Ansible . Must be capable of designing modular roles, maintaining complex playbooks, and utilizing Ansible Automation Platform (or Tower/AWX) for scheduled security workflows. Python: Strong proficiency in Python for developing custom security tooling, API integrations, and complex automation logic. Bash: Mastery of Bash scripting for rapid system-level automation and diagnostic utilities. 3.3 Infrastructure & Cloud Platforms Category Requirement Detail Cloud Platforms Hands-on security engineering experience in at least one major provider: AWS, Azure, or GCP . Knowledge of native security services (e.g., AWS GuardDuty, Azure Security Center) is essential. Virtualization Proficiency in managing and securing KVM (Kernel-based Virtual Machine) and VMware vSphere environments. Containers Solid understanding of Docker image security and Kubernetes (or OpenShift) cluster hardening, including RBAC, Network Policies, and Pod Security Standards. 3.4 DevSecOps Tooling & Pipelines CI/CD: Proven experience embedding security scans and gates within Jenkins or GitLab CI pipelines. Version Control: Expert knowledge of Git (branching strategies, merge requests, and GitOps workflows). Security Scanning: Experience with SAST/DAST/SCA tools (e.g., SonarQube, Snyk, Trivy, or Checkmarx). 3.5 Education & Certifications While we prioritize practical experience and technical aptitude, the following formal qualifications are highly regarded: Academic: A Bachelors degree in Computer Science, Information Security, or a related Engineering field. Linux Certifications: Red Hat Certified Engineer ( RHCE ) or Red Hat Certified Specialist in Security (Linux or Containers). Security Certifications: Industry-standard certifications such as CISSP (Certified Information Systems Security Professional), OSCP (Offensive Security Certified Professional), or CISM. Cloud Certifications: AWS Certified Security - Specialty, or equivalent professional-level cloud certifications. 4. Desired Soft Skills & Attributes Technical mastery of Red Hat Enterprise Linux and automation frameworks is a baseline requirement; however, the true effectiveness of a Product Security Engineer is defined by their professional character and interpersonal aptitude. In a modern DevSecOps environment, security is no longer a siloed function but a shared responsibility. We are seeking a candidate who can navigate the complexities of organizational dynamics with diplomacy, precision, and a relentless focus on the mission. 4.1 Proactive & Analytical Mindset The ideal candidate does not wait for an alert to trigger before taking action. You possess an innate ability to dissect complex system architectures and identify subtle inefficiencies or potential threat vectors before they materialize into operational risks. Ability to perform deep root-cause analysis rather than applying superficial fixes. Proactively hunting for "security technical debt" and proposing scalable automation to resolve it. Anticipating how infrastructure changes will impact the overall security posture. 4.2 Strong Sense of Ownership We value engineers who take radical accountability for the security posture of the products they support. You treat the infrastructure as your own, ensuring that every deployment meets the highest standards of integrity. A "stop-the-line" mentality when critical security flaws are detected in the product lifecycle. Demonstrating persistence in seeing complex security remediations through to completion. Taking pride in maintaining clean, well-documented, and highly secure codebases and configurations. The "Security as an Enabler" Philosophy: Success in this role requires a shift from being a "gatekeeper" to being a "guardrail provider." We are looking for a professional who empowers development teams to move fast securely, rather than slowing them down with manual processes and bureaucracy. 4.3 Excellent Communication & Influence Security risks are often abstract; your job is to make them tangible and actionable. You must be able to translate complex technical vulnerabilities into business-impact terms for non-technical stakeholders, while providing specific, code-level guidance to developers. Strong written communication for creating clear runbooks, security advisories, and architectural documentation. Ability to remain calm and provide clear instructions during high-pressure security incidents. Influence without authority: Persuading cross-functional teams to prioritize security enhancements. 4.4 Collaborative Spirit & Professional Empathy The Product Security Engineer works at the nexus of DevOps, Site Reliability Engineering (SRE), and Development. You must be a team player who values diverse perspectives and understands the operational pressures faced by other teams. Willingness to mentor junior engineers and share RHEL/Security knowledge across the organization. Actively participating in peer code reviews and architectural design sessions. Building relationships across departments to foster a healthy, security-first culture. 4.5 Continuous Learner & Tech Visionary The cybersecurity landscape changes weekly. We need a candidate with a genuine passion for the field who treats learning as a core part of their daily routine. Staying abreast of the latest Red Hat releases, CVEs, and open-source security tooling. Actively participating in the security community (e.g., attending conferences, contributing to open-source projects, or following threat intelligence feeds). An experimentation-focused mindset—willing to pilot new tools and technologies to improve the organizational security posture.

Place of work