Product Security Engineer

1. Job Summary and Overview

At our organization we believe that security is the bedrock of innovation. Our mission is to provide world-class digital services that empower our users while maintaining the highest standards of digital trust and data integrity. We foster a culture of technical excellence where engineers are encouraged to be proactive inquisitive and dedicated to the craft of building resilient systems. As we continue to expand our footprint in the tech ecosystem we are looking for a specialist who shares our passion for open-source technology and robust security architectures.

1.1 Position Specifications

Category

Details

Position Title

Product Security Engineer (RHEL Specialist)

Location

Remote

Experience Level

Senior (Minimum 5 Years Professional Experience)

Language Requirements

Portuguese and English

Employment Type

Permanent / Full-Time

1.2 Role Summary

The Product Security Engineer (RHEL Specialist) is a critical technical position focused on the intersection of infrastructure stability and proactive security posture. The core purpose of this role is to embed automated security controls hardening standards and DevSecOps best practices throughout the entire product lifecycle with a specialized focus on the Red Hat Enterprise Linux (RHEL) ecosystem. You will be the primary architect of security automation ensuring that our RHEL-based infrastructure is resilient against modern threats while maintaining high availability and operational efficiency.

Role Mission:

To transform traditional security gates into automated security guardrails within our Linux environment. You will be tasked with identifying system inefficiencies automating vulnerability remediation and ensuring that security is a seamless component of our CI/CD pipelines and virtualization stacks.

The ideal candidate is not just a security enthusiast but a seasoned Linux practitioner who understands the nuances of system internals. You will move beyond manual checklists leveraging Ansible for configuration management and Python/Bash for custom security tooling. Whether managing workloads on-premise through VMware/KVM or across AWS Azure or GCP your objective remains consistent: to provide a secure standardized and self-healing platform that serves as the backbone for our product offerings.

1.3 Core Objectives and Expectations

Infrastructure Hardening: Design and enforce automated RHEL hardening standards across all environments using CIS benchmarks or similar frameworks.

Security Automation: Implement Security as Code principles to reduce manual toil and human error in security configurations.

Proactive System Optimization: Actively hunt for system inefficiencies and performance bottlenecks providing automated resolutions before they impact product delivery.

Cloud and Container Security: Secure our transition to cloud-native architectures by ensuring Docker and Kubernetes environments meet enterprise security requirements.

Continuous Integration: Integrate security scanning and compliance auditing directly into our Jenkins and GitLab CI pipelines.

As a senior member of the technical staff you will be expected to work with a high degree of autonomy collaborating with both DevOps and Software Development teams to foster a culture of shared responsibility for security outcomes.

2. Key Responsibilities

The Product Security Engineer (RHEL Specialist) is tasked with safeguarding the integrity availability and confidentiality of our product ecosystem. This role functions at the critical intersection of system engineering and cybersecurity requiring a hands-on approach to building resilient infrastructure. The incumbent is expected to move beyond reactive security measures instead architecting automated self-healing systems that adhere to global security standards.

2.1 Security Automation & Hardening

The primary accountability in this area is the conversion of complex security requirements into executable version-controlled code. This ensures a consistent security posture across all environments from development to production.

Ansible Orchestration: Design develop and maintain a library of Ansible playbooks and roles specifically focused on Red Hat Enterprise Linux (RHEL) security compliance (e.g. CIS Benchmarks STIGs).

Automated Patch Management: Implement and manage automated patching lifecycles for RHEL systems to ensure timely remediation of Critical and High-severity vulnerabilities with minimal service disruption.

Configuration as Code: Enforce system state consistency by automating the deployment of security configurations including SELinux policies SSH hardening and kernel parameter tuning (sysctl).

Identity & Access Management (IAM): Automate the provisioning and auditing of privileged access ensuring the Principle of Least Privilege is enforced across all Linux-based product components.

Compliance Drift Detection: Develop automated monitoring solutions to detect and remediate configuration drift from established security baselines in real-time.

2.2 Secure CI/CD Pipeline Integration

This role serves as a key architect in our DevSecOps transformation ensuring that security is not a final checkpoint but a continuous process embedded within our software delivery pipelines.

Security Tooling Integration: Embed and configure Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) tools within Jenkins and GitLab CI pipelines.

Automated Gatekeeping: Define and implement fail-build criteria based on security risk thresholds to prevent vulnerable code or insecure configurations from reaching production.

Secrets Management: Architect and maintain secure workflows for managing API keys certificates and credentials within the CI/CD environment using HashiCorp Vault or native cloud secrets managers.

Pipeline Auditing: Maintain comprehensive logging and auditing of pipeline activities to ensure the integrity of the build and deployment process.

Developer Collaboration: Work closely with software engineering teams to interpret security scan results and provide actionable automated remediation guidance.

Proactive Efficiency Focus:

Beyond standard security tasks the Engineer must actively identify operational inefficienciessuch as slow build times due to security scans or excessive manual intervention in configurationand engineer automated solutions to streamline these processes without compromising the security posture.

2.3 Cloud & Container Security

As we leverage hybrid and multi-cloud architectures the Product Security Engineer is responsible for the security of our virtualized and containerized workloads.

Cloud Governance: Implement and automate security best practices for public cloud platforms (AWS Azure or GCP) focusing on VPC security IAM roles and encrypted storage.

Kubernetes Hardening: Design and maintain security policies for Kubernetes clusters including Network Policies Pod Security Admissions and RBAC configurations.

Container Image Security: Establish automated container image scanning and signing processes to ensure only trusted and verified images are deployed via Docker.

Runtime Protection: Implement monitoring and protection tools for containerized environments to detect and respond to anomalous behavior or runtime threats.

Virtualization Security: Ensure the underlying virtualization layer (KVM VMware) is secured and isolated according to industry best practices.

2.4 Vulnerability Management & Threat Modeling

The Engineer must act as a proactive hunter identifying weaknesses before they can be exploited and designing systems that are inherently resilient.

Threat Modeling: Lead threat modeling exercises (e.g. STRIDE or PASTA) for new product features and infrastructure changes to identify potential attack vectors early in the design phase.

Vulnerability Assessment: Perform regular automated vulnerability scans of the RHEL infrastructure and cloud resources prioritizing findings based on business impact and exploitability.

Automated Remediation: Develop auto-remediation workflows using Python or Ansible to fix common vulnerabilities and misconfigurations without manual intervention.

Incident Response Support: Provide technical expertise and forensic support to the Incident Response team during security events particularly those involving Linux systems or cloud infrastructure.

Security Research: Stay abreast of emerging threats zero-day vulnerabilities and new RHEL security features to proactively adapt our security architecture.

Accountability Metric

Expected Outcome

Compliance Coverage

95% of RHEL fleet adhering to automated security baselines.

Mean Time to Remediate (MTTR)

Reduction in remediation time for critical patches through automated deployment.

Pipeline Security

100% of production builds subjected to automated security gating.

3. Required Technical Skills & Qualifications

To be successful in the role of Product Security Engineer (RHEL Specialist) candidates must demonstrate a profound technical foundation in Linux systems engineering and a modern automation-first approach to cybersecurity. We require a professional who has moved beyond basic administration into the realm of infrastructure-as-code and proactive threat mitigation.

Mandatory Experience:

A minimum of

five (5) years

of demonstrable professional experience in Systems Engineering DevSecOps or Product Security roles is required. Candidates must have spent a significant portion of this time managing enterprise-scale Red Hat Enterprise Linux environments.

3.1 Red Hat Enterprise Linux (RHEL) Mastery

As the core focus of this role we require expert-level knowledge of the RHEL ecosystem (versions 7 8 and 9). This includes:

Advanced Administration: Deep understanding of system internals kernel tuning LVM/storage management and performance troubleshooting.

Security Hardening: Proven ability to implement and manage SELinux policies (writing custom modules and troubleshooting denials) and system auditing (auditd).

Identity & Lifecycle: Experience with Red Hat Satellite or Foreman for lifecycle management content views and automated errata/patching workflows.

Compliance Frameworks: Implementation of OpenSCAP and automated compliance scanning against CIS Benchmarks or STIG requirements.

3.2 Automation Orchestration & Scripting

The candidate must be able to treat infrastructure as a software project leveraging code to eliminate manual toil and configuration drift.

Ansible: Expert-level proficiency in Ansible. Must be capable of designing modular roles maintaining complex playbooks and utilizing Ansible Automation Platform (or Tower/AWX) for scheduled security workflows.

Python: Strong proficiency in Python for developing custom security tooling API integrations and complex automation logic.

Bash: Mastery of Bash scripting for rapid system-level automation and diagnostic utilities.

3.3 Infrastructure & Cloud Platforms

Category

Requirement Detail

Cloud Platforms

Hands-on security engineering experience in at least one major provider: AWS Azure or GCP. Knowledge of native security services (e.g. AWS GuardDuty Azure Security Center) is essential.

Virtualization

Proficiency in managing and securing KVM (Kernel-based Virtual Machine) and VMware vSphere environments.

Containers

Solid understanding of Docker image security and Kubernetes (or OpenShift) cluster hardening including RBAC Network Policies and Pod Security Standards.

3.4 DevSecOps Tooling & Pipelines

CI/CD: Proven experience embedding security scans and gates within Jenkins or GitLab CI pipelines.

Version Control: Expert knowledge of Git (branching strategies merge requests and GitOps workflows).

Security Scanning: Experience with SAST/DAST/SCA tools (e.g. SonarQube Snyk Trivy or Checkmarx).

3.5 Education & Certifications

While we prioritize practical experience and technical aptitude the following formal qualifications are highly regarded:

Academic: A Bachelors degree in Computer Science Information Security or a related Engineering field.

Linux Certifications: Red Hat Certified Engineer (RHCE) or Red Hat Certified Specialist in Security (Linux or Containers).

Security Certifications: Industry-standard certifications such as CISSP (Certified Information Systems Security Professional) OSCP (Offensive Security Certified Professional) or CISM.

Cloud Certifications: AWS Certified Security - Specialty or equivalent professional-level cloud certifications.

4. Desired Soft Skills & Attributes

Technical mastery of Red Hat Enterprise Linux and automation frameworks is a baseline requirement; however the true effectiveness of a Product Security Engineer is defined by their professional character and interpersonal a modern DevSecOps environment security is no longer a siloed function but a shared responsibility. We are seeking a candidate who can navigate the complexities of organizational dynamics with diplomacy precision and a relentless focus on the mission.

4.1 Proactive & Analytical Mindset

The ideal candidate does not wait for an alert to trigger before taking action. You possess an innate ability to dissect complex system architectures and identify subtle inefficiencies or potential threat vectors before they materialize into operational risks.

Ability to perform deep root-cause analysis rather than applying superficial fixes.

Proactively hunting for security technical debt and proposing scalable automation to resolve it.

Anticipating how infrastructure changes will impact the overall security posture.

4.2 Strong Sense of Ownership

We value engineers who take radical accountability for the security posture of the products they support. You treat the infrastructure as your own ensuring that every deployment meets the highest standards of integrity.

A stop-the-line mentality when critical security flaws are detected in the product lifecycle.

Demonstrating persistence in seeing complex security remediations through to completion.

Taking pride in maintaining clean well-documented and highly secure codebases and configurations.

The Security as an Enabler Philosophy:

Success in this role requires a shift from being a gatekeeper to being a guardrail provider. We are looking for a professional who empowers development teams to move fast securely rather than slowing them down with manual processes and bureaucracy.

4.3 Excellent Communication & Influence

Security risks are often abstract; your job is to make them tangible and actionable. You must be able to translate complex technical vulnerabilities into business-impact terms for non-technical stakeholders while providing specific code-level guidance to developers.

Strong written communication for creating clear runbooks security advisories and architectural documentation.

Ability to remain calm and provide clear instructions during high-pressure security incidents.

Influence without authority: Persuading cross-functional teams to prioritize security enhancements.

4.4 Collaborative Spirit & Professional Empathy

The Product Security Engineer works at the nexus of DevOps Site Reliability Engineering (SRE) and Development. You must be a team player who values diverse perspectives and understands the operational pressures faced by other teams.

Willingness to mentor junior engineers and share RHEL/Security knowledge across the organization.

Actively participating in peer code reviews and architectural design sessions.

Building relationships across departments to foster a healthy security-first culture.

4.5 Continuous Learner & Tech Visionary

The cybersecurity landscape changes weekly. We need a candidate with a genuine passion for the field who treats learning as a core part of their daily routine.

Staying abreast of the latest Red Hat releases CVEs and open-source security tooling.

Actively participating in the security community (e.g. attending conferences contributing to open-source projects or following threat intelligence feeds).

An experimentation-focused mindsetwilling to pilot new tools and technologies to improve the organizational security posture.