Principal Security Engineer

We're leveling up our security engineering on a solid foundation: a standardized AWS developer platform, established toolchain for satellite software, ISO 27001 certification, and ongoing business with government customers across the world. To push toward CMMC Level 2+ compliance for CUI handling in our defense-relevant environment, we're seeking a senior technical lead to own product security strategy and execution. The core responsibility will be to shift security left and integrate it throughout all our development processes: embedding automated controls like SBOMs, scanning, and secure pipelines into CI/CD; maintain standard libraries and infra for authn/authz and logging. You will also work on monitoring tools for operational services, and where control inheritance is insufficient, you'll help teams figure out how to align their systems with NIST 800-171/CMMC and other security objectives.

This is a senior, hands-on IC role with leadership: you'll code, configure, and debug while mentoring and tasking a small team of security engineers. As the technical leader of our Product Security Team you'll work closely with our chief software engineer to align security objectives and software roadmap, with our AWS infra team for cloud hardening, with our dev tooling team for satellite software security, as well as with the cybersecurity/GRC group. Lean setup with bureaucracy primarily handled by GRC and TPM teams, just impact through code and architecture, building on what we already do well.

As part of the role you may also engage in discussions with peers at government entities and other bodies on security related matters.

Key Responsibilities:

• Security Controls in SDLC: Integrate security automation into our pipelines (e.g., GitHub Actions/ArgoCD for SAST/DAST/SCA, SBOM, vuln scanning).
• Strengthen Shared Libraries and Infra: Evolve standard libraries/infra for authn/authz and logging and other run-time security concerns.
• Advance CMMC Compliance: Hands-on implementation to meet/exceed CMMC Level 2 controls (AC, IA, SC, SI families)-e.g., encryption, secure configs, monitoring-leveraging our ISO 27001 base and federal experience.
• Perform Reviews and Models: Conduct security architecture reviews, code audits, and threat modeling. Identify/fix issues like API vulns or supply chain risks.
• Team Guidance: Mentor and assign work to security engineers, advancing secure practices via code reviews, pair sessions, and tooling. Optional: Management for hiring/reviews if interested.
• Define the security perimeter within software architectures to establish clear trust boundaries where security requirements will be enforced across all components.
• Conduct detailed vulnerability impact assessments to accurately determine the severity and business risk of identified findings, guiding effective remediation priorities.

Required Qualifications:

• Experience: 10+ years in software/security engineering, 6+ in sec-focused roles. Shipped secure cloud systems (AWS), CI/CD security, and compliance projects (CMMC/FedRAMP/NIST).
• Technical Expertise: Mastery of container security (Docker/K8s), tools (Trivy/Snyk/Falco/OPA), languages for tooling (Python/Rust). Modern attacks/defenses.
• Security Acumen: Fluency in threats (injection, lateral moves), controls (800-53 mappings), DevSecOps. SBOMs, zero-trust, SIEM-fed logging.
• Interpersonal Skills: ability to engage with staff internally in a constructive way and represent Spire externally

Preferred Skills:

• AWS sec services (GuardDuty, Security Hub, Config), IaC (Terraform).
• Embedded/satellite sec (secure boot, updates).
• Open-source sec contribs.
• Relevant certs (CSSLP/OSCP/GIAC) if reflecting real expertise.
• Leadership Fit: Proven mentoring, leading initiatives, influencing in small teams.

Bonus

• Other: Cleared for sensitive data; regulated industry exp (defense/aerospace).

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses-this is not something candidates need to have before applying. #LI-DC1