Product Security Lead

Northwood is a modern space infrastructure company bringing the benefits of space to the masses through advanced communications technology. We are building a global network of phased array ground stations that enable real-time, reliable communication for satellite missions such as national security, global connectivity, and disaster response. With a vertically integrated approach, Northwood designs, builds, and rapidly deploys scalable systems that power the next generation of space missions. If you like solving complex challenges and seeing your work deployed around the world with real impact, Northwood is the place to do it.

Role

As Product Security Lead, you will own the security of Northwood's software and systems from design through deployment. This is a senior technical leadership role for an engineer with deep expertise across the full product security lifecycle — from threat modeling and secure architecture review to penetration testing, vulnerability management, and the cryptographic foundations that protect mission-critical space communications.

You will embed security into every stage of our software development lifecycle, build and mature our application security program, and ensure that the products Northwood delivers to government and commercial customers meet the most demanding security requirements in the industry. This role partners closely with product and infrastructure engineering teams and reports to the Head of Security.

Responsibilities

Application Security & SDLC

• Own application security across the full software development lifecycle, ensuring security requirements are defined, validated, and enforced from design through production release.

• Conduct security architecture reviews and threat modeling for new product features, platform changes, and third-party integrations.

• Establish and maintain secure coding standards, security review gates, and developer security training programs.

• Serve as the primary security liaison for product engineering teams, translating compliance and security requirements into actionable engineering guidance.

SAST, DAST & Vulnerability Management

• Deploy, manage, and continuously improve static application security testing (SAST) and dynamic application security testing (DAST) tooling integrated into development workflows.

• Own the vulnerability management program end-to-end: discovery, triage, prioritization, remediation tracking, and reporting across product and infrastructure systems.

• Conduct and coordinate penetration testing against Northwood's products and infrastructure, including scoping, execution, findings management, and remediation validation.

• Build and maintain container security scanning, dependency analysis, and software composition analysis (SCA) pipelines.

CI/CD Security & Secrets Management

• Integrate automated security validation and policy enforcement into CI/CD pipelines, ensuring security controls do not impede engineering velocity.

• Own secrets management infrastructure, including deployment, policy configuration, access controls, and audit logging for platforms such as HashiCorp Vault.

• Implement and enforce controls for secure artifact management, signing, and supply chain integrity across build and deployment pipelines.

• Review and harden Infrastructure as Code, GitOps workflows, and deployment automation for security misconfigurations and policy violations.

Cryptography & Secure Communications

• Design and implement cryptographic controls for data at rest, data in transit, and satellite communication protocols, ensuring alignment with NIST standards and government customer requirements.

• Evaluate and advise on cryptographic library selection, key management architecture, and certificate lifecycle management.

• Identify and remediate cryptographic weaknesses across product systems, including legacy protocol usage, weak cipher configurations, and improper key handling.

Team Leadership & Cross-Functional Collaboration

• Hire and develop product security engineers as the team scales.

• Collaborate with network operations, mission management, and compliance teams to maintain a security posture that enables mission success without breaking deployment cycles.

• Build security documentation, audit evidence, and reporting standards that satisfy FedRAMP, CMMC, and NIST 800-171 requirements.

Basic Qualifications

• 5+ years in product security, application security, or a closely related security engineering discipline, with demonstrated technical leadership experience.

• Deep expertise in SAST and DAST tooling, including tool selection, integration into CI/CD pipelines, and results-driven vulnerability remediation programs.

• Hands-on experience conducting or coordinating penetration testing engagements, including scoping, execution, and remediation validation.

• Strong applied cryptography knowledge, including symmetric and asymmetric encryption, PKI, key management, and secure protocol design.

• Experience owning vulnerability management programs, including prioritization frameworks, SLA enforcement, and executive reporting.

• Proficiency with secrets management platforms such as HashiCorp Vault, including policy design and access control architecture.

• Experience securing CI/CD pipelines and GitOps workflows, including IaC security review and automated security gate implementation.

• Proficiency in one or more general-purpose programming languages (Python, Go, Rust, or equivalent).

• Familiarity with government compliance frameworks including NIST 800-171, CMMC, and FedRAMP.

• Ability to obtain and maintain a TS/SCI clearance.

• U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

Preferred Qualifications

• Active TS clearance or higher.

• Experience with HashiCorp Vault, Terraform, and ArgoCD in production environments.

• Hands-on experience with container security scanning, admission controllers, and microservices security patterns.

• Familiarity with software supply chain security frameworks and tooling (SLSA, Sigstore, SBOM generation).

• Background in aerospace, defense, critical infrastructure, or other regulated industries.

• Experience with DFARS compliance, ITAR, and government contracting security requirements.

• Familiarity with eMASS or similar government assessment and authorization tools.

• CISSP, CSSLP, OSCP, or equivalent professional certification.

Additional Requirements

• This position requires successfully obtaining and maintaining a Top Secret Security Clearance as a condition of employment. While the clearance may not be immediately necessary upon hire, we encourage you to initiate the application process promptly upon accepting this offer. Your ability to secure the necessary clearance is essential for fulfilling key responsibilities of the role. Should you be unable to obtain it, Northwood Space reserves the right to modify or terminate your employment to align with optional needs.

Additional Information:

If you need a reasonable accommodation as part of your application for employment or interviews with us, please let us know.

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

Northwood Space is an Equal Opportunity Employer; employment with Northwood Space is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.