Join Our Team as an Embedded Systems Security Engineer!
Are you passionate about pioneering security solutions for cutting-edge embedded Linux platforms? We are seeking an innovative and experienced Embedded Systems Security Engineer to lead the design and implementation of robust security architectures for next-generation devices. In this pivotal role, you'll bridge the gap between hardware security, kernel hardening, and secure user-space application containment, ensuring our products are resilient, scalable, and secure from the ground up. If you're ready to make a tangible impact on device security at scale, we want to hear from you.
What You Will Do:
- Design and implement Hardware Root of Trust and Secure Boot architectures from the bootloader to the Linux kernel.
- Develop cryptographically verified read-only filesystems using dm-verity and implement data encryption at rest.
- Build and maintain Trusted Execution Environments (TEEs) like OP-TEE, and develop secure applications.
- Enforce strict user-space isolation using SELinux, AppArmor, cgroups, namespaces, and seccomp filters.
- Automate cryptographic signing pipelines within CI/CD workflows, utilizing HSMs or secure key vaults.
- Collaborate with manufacturing to develop secure device provisioning scripts and validation tools.
- Architect multi-slot boot recovery systems to enhance system resilience against OTA failures and corruption.
Required Skills:
- Bachelor’s degree in Computer Science, Electrical Engineering, or related field (or equivalent experience).
- 6+ years of experience in Embedded Linux development, board bring-up, and BSP customization.
- 3+ years deploying device-level security features into production hardware.
- Expertise with bootloader configurations (U-Boot, Barebox) and Linux kernel security subsystems (dm-crypt, dm-verity).
- Deep understanding of ARM TrustZone architecture (ARMv7-A / ARMv8-A).
- Proven experience with SELinux/AppArmor policies and Linux containment tools (cgroups, namespaces).
- Proficiency with embedded build systems like Yocto Project or Buildroot.
- Strong programming skills in C, with scripting expertise in Python or Bash.
Nice to Have Skills:
- Solid foundation in cryptography, including symmetric/asymmetric algorithms, SHA-256/384, and PKI.
- Experience working with Contract Manufacturers or factory lines on secure key injection and fuse-burning protocols.
- Knowledge of embedded container runtimes (LXC, crun) and lightweight sandboxing frameworks.
- Experience designing anti-rollback protection mechanisms for OTA updates.
Preferred Education and Experience:
- Bachelor’s degree in a relevant technical discipline.
- 6+ years of hands-on experience in embedded Linux security and development environments.
- Prior experience with manufacturing scale deployments and security protocols.
Other Requirements:
- This is an onsite role based in Foster City, CA. Must be willing to work 5 days in the office.
- No relocation is provided; local candidates preferred.
- Ability to work collaboratively with manufacturing and engineering teams.
- Must be legally authorized to work in the United States.
DeWinter Group and Maris Consulting are an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. We post pay scales which are based on our client pay ranges. DeWinter, Maris, and our clients have the right to modify the requirements of the role which can impact the pay ranges posted.





