Senior Product Security Consultant

About CENSUS

CENSUS LABS is a cybersecurity engineering powerhouse specializing in securing products and organizations. Our identity is rooted in professionalism, engineering excellence, a scientific mindset, and hacking demeanor. We are research-driven, enabling us to deliver a diverse range of professional services.

CENSUS is trusted to conduct high-impact product security engagements, helping our clients secure their solutions from design to deployment, using realistic and risk-informed approaches. Our expertise spans end-to-end systems, including Secure Communications, IoT, Medical Devices, Mobile, and Vehicle Computing platforms.

Learn more about CENSUS at census-labs.com.

About the Job

CENSUS’ bespoke cybersecurity services are driven by a talented team of Security Engineers, Consultants, and Researchers whose work goes beyond traditional security assessment. Under the mentorship of our Engineering Managers, our consultants perform technical evaluations of complex systems and deliver insights that drive measurable improvements.

We are seeking a technically strong and detail-oriented Senior Product Security Consultant to join our Cybersecurity Engineering team. The ideal candidate will have extensive experience in product-level security verification, threat model analysis, and product-level testing.

You will be responsible for evaluating the security posture of software and system products by validating architecture, threat models, and security controls. You will participate in structured evaluation projects aligned with industry and regulatory standards such as Common Criteria, ISO/IEC 27002, or equivalent frameworks.

Key Responsibilities

• Review and validate security documentation (e.g., Security Targets, threat models, trust boundaries, asset inventories).

• Assess the completeness, accuracy, and risk coverage of various threat models and risk assessment frameworks (STRIDE, LINDDUN, OWASP, TARA, TAL, etc.).

• Verify security requirement traceability across assets, trust boundaries, and system functions.

• Conduct architectural and implementation-level reviews of security controls (e.g., encryption, access control, key management).

• Perform targeted security testing (white-box and black-box) on system APIs, client/mobile apps, backend services, and cloud infrastructure.

• Validate implementation of cryptographic controls, key lifecycle procedures, and secure communication protocols.

• Evaluate the use of post-quantum cryptography and hybrid models in secure key management.

• Analyze secure deployment configurations across containerized platforms (Docker, Kubernetes), CI/CD pipelines, and cloud services.

• Deliver comprehensive, standards-aligned technical reports based on evaluation findings.

• Communicate product security risks clearly to both technical and non-technical audiences.

Minimum Qualifications

• MSc or BSc in Computer Science, Electrical/Software Engineering, Cybersecurity, or a related technical discipline.

• 5+ years of experience in product security, software evaluation, or penetration testing.

• Proven ability to evaluate threat models, security requirements, and mitigation effectiveness.

• Strong technical writing and documentation skills in English.

• Excellent analytical skills and attention to detail.

Required Skills

• In-depth understanding of security architecture and common system design patterns (e.g., API gateways, microservices, message queues, service meshes).

• Hands-on experience performing design-level security reviews and verifying implementation alignment with defined threat models.

• Familiarity with structured security frameworks such as Common Criteria, FIPS 140, ISO 15408, OWASP ASVS, and MASVS.

• Practical experience with security testing in diverse product environments (mobile, embedded, web/cloud, API).

• Knowledge of authentication, authorization, identity, and secrets management technologies (e.g., OAuth2, MFA, PKI, SSO, Cloud IAM, HashiCorp Vault).

• Proficiency in applied cryptography (e.g., mTLS, E2EE, AEAD, key derivation, key wrapping, remote attestation).

• Ability to identify security vulnerabilities across platforms (e.g., OWASP Top 10, misconfigurations, transport security gaps).

• Excellent documentation and communication skills, able to articulate technical risks and findings to diverse audiences.

• Problem solving skills, analytical thinking, and willingness to learn/grow.

Nice-to-Have Skills

• Ability to read and analyze source code for logic flaws in one or more language families:

• Mobile: Swift, Obj-C, Kotlin, Java, Dart, JavaScript

• Web/Cloud: Java, Python, Go, PHP, Ruby, C#, JavaScript

• Native/Embedded: C, C++

• Experience debugging or instrumenting applications across edge, embedded, or cloud platforms.

• Familiarity with Zero Trust architectures, enclaves, and confidential computing technologies.

• Exposure to fuzzing, symbolic execution, or static analysis techniques.

• Experience collaborating with distributed teams across different time zones and cultures.