Senior DevSecOps Engineer — Cyber Resilience Act (CRA) Compliance

Pilare Perspective LLC, in partnership with our customer, is striving to achieve compliance with the EU Cyber Resilience Act (CRA). The customer product portfolio is broad and diverse — spanning embedded systems, long-lifecycle devices, and a large codebase of legacy repositories built before modern DevSecOps practices were in place. This role is about introducing security controls into existing systems at scale, not greenfield development.

You will be the US-based team lead working as part of the global team. Together you will build and operationalize the security scanning pipeline, establish SBOM generation processes, and ensure Customer's products meet CRA requirements. What You'll Do Design, configure, and run SAST pipelines for C/C++ projects, primarily using Veracode (including preparing preprocessed source, managing compilation requirements, and debug symbols) Configure and operate SCA tools with CVE monitoring across dependencies (Veracode SCA, yocto-cve-check) Generate and maintain Software Bills of Materials (SBOM) in CycloneDX and SPDX formats Integrate security tools (SAST, SCA, SBOM) into CI/CD pipelines using GitHub Actions, including designing reusable workflows and composite actions that scale across dozens of repositories Deploy security gates before release or merge across the product portfolio Migrate repositories from legacy VCS systems (SVN, Bitbucket, GitLab) to GitHub - planning, execution, and verification Design or contribute to a centralized vulnerability and waiver database providing consistent risk management, audit traceability, and long-term reporting for CRA compliance Balance regulatory compliance, engineering pragmatism, and scalability across teams, repositories, and products Collaborate daily with the global team on shared tooling and pipeline work Required Experience 5+ years in DevSecOps, Application Security, or a closely related engineering role combining DevOps/CI/CD, C/C++ knowledge, and product security Hands-on experience launching and scaling SAST and SCA for existing (non-greenfield) codebases Strong working knowledge of Veracode (SAST and/or SCA); experience with CodeSonar or similar tools is a plus Proven track record designing GitHub Actions workflows - reusable workflows, composite actions - at multi-repo scale Experience with C/C++ build systems: CMake, Make, and vendor-specific toolchains Familiarity with embedded environments: Yocto/Buildroot, RTOS (FreeRTOS, Zephyr), bare-metal projects with vendor HALs and toolchains (GCC ARM, IAR) Experience generating SBOMs and understanding of CycloneDX / SPDX standards Comfort working with legacy codebases and heterogeneous build environments Python scripting skills for automation and tooling Strong Linux command-line and bash proficiency Preferred / Nice-to-Have Direct experience translating regulatory or compliance requirements (CRA, IEC 62443, FDA cybersecurity guidance, etc.) into technical implementation plans Experience designing centralized vulnerability databases or exception/waiver tracking systems Background in VCS migrations (SVN to GitHub, Bitbucket to GitHub) Exposure to semi-automated vulnerability remediation approaches, including AI-assisted tooling Familiarity with ITAR-regulated environments What We're Looking For in a Person Senior-level or above, with a high degree of autonomy and ownership Able to influence architecture, tooling choices, and long-term technical direction Comfortable working end-to-end: from requirements analysis through implementation to operationalization Strong communicator who can collaborate effectively across time zones (US and Europe) Pragmatic problem-solver who can balance "do it right" with "get it running" Engagement Details 1099 Independent Contractor - you manage your own taxes, insurance, and benefits Hybrid schedule : 3 days per week on-site at Customer's premises in the greater Seattle area Team structure : You as lead plus additional engineers in Europe.

You are the US-based point person US citizenship or authorization required due to ITAR considerations. #J-18808-Ljbffr