Senior Security Engineer

Calix provides the cloud, software platforms, systems and services required for communications service providers to simplify their businesses, excite their subscribers and grow their value.

Role Description
The SCA Security Engineer should have at least 6-8 years of experience in SCA / FOSS domain and engaging with Architects, Technical Leads, Security Champions from Development teams to ensure the FOSS security and license needs are considered well in advance during the product development cycle.
You will be primarily responsible for defining, communicating and executing the strategy for the FOSS domain including processes, tools, metrics, along with reporting. You should be able to perform license and SBOM reviews along with all dependency validation, both direct as well as transitive, across all Calix products and guide the teams on security posture. Enable Shift Left capabilities to development and engineering teams via IDE support, training, education, and awareness.

Roles & Responsibilities

• Subject Matter Expertise - Act as SME and provide technical leadership to SCA domain mainly FOSS Security and License Reviews. Support SCA scan operations include scoping, scan pipeline creation (DevSecOps), scan scheduling & validation and post-scan activities like prioritization & reporting.
• Tools Engg (SCA) – Deploy and manage SCA Security Tools which may include configuration and deployment of SCA tools along with support in managing the Security and License review policy violations. Work with the product teams to manage the SBOM and its license matrix across every release.

• Shift Left Support – Work with product teams to enable SCA plugins on their local IDEs (Eclipse, InjelliJ, VSCode, etc). Assist CI/CD processes with the integration of SCA scans into automated builds.
• Security Posture - Work with Product Security leadership to mature the security team capabilities including reporting and remediation guidance in alignment with regulatory requirements.
• Vendor Management - Monitor and Communicate with the SCA vendor on false positive analysis, feature requests, version upgrades, rules customization, etc. Troubleshoot SCA Scan related issues and open support queries with the vendor as necessary.

Qualifications:

• 6-8 years of Application Security experience with a minimum of 3 years of experience in SCA tools like Snyk, Blackduck or Nexus Lifecycle Manager
• SCA tools experience must include Installation, Configuration, Administration and Performance Monitoring of tools along with alerting policy violations both from license as well as security viewpoint.
• Build and Maintain Integrations for DevSecOps utilizing SCA tool and SCM with planned cadence.
• Deep knowledge of CVE, CWE, CVSS, and common vulnerability classes.
• Develop processes and improvements around toolsets along with technical guides / documentation for toolset features and best practices
• Ability to interact with the product teams to explain the remediation and enforce security measures by participating in the design and implementation of product security practices.
• Experience in managing exceptions, risk register and make recommendations to Security Requirements
• Knowledge of managing end of life or obsolete component disposal would be a plus.
• BA/BS degree in computer science, engineering, or information security. Desirable - one or more security certifications: CEH, CISM, CISSP
• Must have excellent verbal, written and presentation skills. Ability to work in a fast paced and highly collaborative environment.