Product Security Architect

Meet our Team

The Sr. Product Security Architect will be a member of a DevSecOps organization and works with our software product development organizations to enable them to build in enhanced security in software products. The ideal candidate possesses strong security and systems experience and has worked with SaaS, microservices, monolithic, and appliance applications on digital platforms, cloud, and/or IoT device ecosystems in a cross-functional environment. As a trusted technical partner, expert, and thought leader, this role will help shape the future of Hitachi Vantara's core product portfolio and digital transformation. The execution of your primary roles and responsibilities will be collaborative, largely unsupervised, and require a high degree of self-motivation. You will apply a practical, risk-based approach while both leading and advising product teams in the security domains. This is a highly technical role with approximately 80% as architect/designer/advisor. Hitachi Vantara is looking for a contributing team member to assist in maturing our overall product security program, mentor others, and be a hands-on partner to our product teams to deliver innovative and secure products and experiences to customers.

What you'll be doing

• Define security best practices and implementation guidance for containerized software deployments in Kubernetes.
• Establish best practices for the effective avoidance, identification, and resolution of security weaknesses in products, services, IT, and related processes for Hitachi Vantara products.
• Coordinate with DevSecOps team members to build security and compliance scanning and reporting into our CI-CD pipelines with a strong emphasis on "shifting left".
• Engage with product teams as both advisor and contributing team member to enable building security into complex systems across the entire product lifecycle (from concept through deployment and use), including conducting security reviews and coordinating penetration testing.
• Lead & Partner with developers and testers in security activities during the product lifecycle, such as secure design reviews/threat modeling, security code reviews, security test planning, and component security hardening, to identify potential security weaknesses.
• Innovate on technical solutions to solve security challenges in product architecture and SaaS, implementation, testing, release, and operations. Coordinate and guide the response to security vulnerabilities that are reported by 3rd party researchers or customers against released products and services.
• Work closely with other security professionals in Information Security, DevSecOps, and product development teams to execute key functions such as secure code signing, secure manufacturing, and secure product operations.
• Interact with development enable security of product components in the supply chain.
  Keep abreast of advances in secure system design and development practices, threats and threat actors, and new attack techniques or areas of security research, and provide guidance to the product organizations to help them avoid or mitigate future security concerns.
• Core architecture leader of the DevSecOps security group contributing to security program design, developing product security standards and processes, and defining appropriate program metrics. Help drive maturity and adoption of the overall program.
• Participate as a senior contributor to the broader Hitachi Vantara security team representing product security and connecting it into the overall security framework and program.
• Participate as a CFT (Cross Functional Team) or CTT (Cross Technical Team) member as assigned.

• Perform analysis and execute POVs (Proof of Value) and POCs (Proof of Concepts) initiatives evaluating third party and in-house security and compliance tools.

What you bring to the team

• 5 - 8 years' related experience; Master's degree a plus or Bachelor's Degree in related Software engineering or scientific discipline required.
• Some understanding of public cloud (AWS, Azure, GCP) IAM, security group, and other security controls and administration.

• Some familiarity with on-premises virtualization with VSphere.
• Secure software / systems development lifecycle experience. Demonstrable knowledge and experience in multiple of the following areas: Software development, SDLC, dependency management, coding, and scripting skills.
• Good understanding of Kubernetes architecture and how applications are deployed in this containerized auto-scaling environment.
• Strong familiarity with one or more common SCA, SAST, DAST, IAST tools (e.g., OWASP, Synopsis, Qualys, Sonarqube, JFrog Xray, Coverity, Whitesource, Checkmarx, Veracode, Snyk, and similar.
• Application or system hardening, Security Testing / Penetration Testing, Fuzzing, Cloud security, Cryptography, Forensics, or reverse engineering.

• Knowledge of common security standards and best practices, such as NIST 800-53/800-160, ISO 270xx, CWE, CVSS, OWASP Top 10, CERT Secure Coding Standards.
• Experience with Cryptographic Libraries (EX: wolfssl/openssl), Core knowledge of Certificate Based Authentication & PKI.
• Experience leading secure architecture, design, and code reviews.
  Direct development experience in languages including Java, Go, Python, NodeJS, or C/C++ experience desirable.
• Certified Software Security Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP) certification, SANS GIAC Certified Incident Handler (GCIH), or SANS GIAC Certified Penetration Tester (GPEN) or equivalent certification.
• Experience with CI/CD tools and practices, Waterfall, Agile, DevOps, or V-Model development methodologies and experience with any of the application security tools as SonarQube, Fortify, Clang preferred.

• Prior or current involvement in industry security initiatives such as IETF, OWASP, ISO, CWE, BSIMM, Cloud Security Alliance, or any open-source project related to security.
• Competence in resolving problems/conflicts in a diplomatic and tactful manner.
• Experienced and comfortable making risk-based recommendations and judgments.
• Excellent written and verbal communication skills; must understand and be able to deliver security concepts and challenges to various levels within the organization (e.g. developers, program management, business leaders)

Our Company

Hitachi Vantara is part of the Global Hitachi family. We balance innovation with an open, friendly culture and the backing of a long-established parent company, known for its ethical reputation. We guide customers from what's now to what's next by unlocking the value of their data and applications to solve their digital challenges, achieving outcomes that benefit both business and society.

Our people are our biggest asset, they drive our innovation advantage and we strive to offer a flexible and collaborative workplace where they can thrive. Diversity of thought is welcomed and our employee base is represented by several active Employee Resource Group communities. We offer industry leading benefits packages (flexible working, generous pension and private healthcare) and promote a creative and inclusive culture. If driving real change gives you a sense of pride and you are passionate about powering social good, we'd love to hear from you.

Our Values

We strive to create an inclusive environment for all and are open to considering home working and compressed/flexible hours. Get in touch with us to explore how we might be able to accommodate your specific needs.

We are proud to say we are an equal opportunity employer and welcome all applicants for employment without attention to race, colour, religion, sex, sexual orientation, gender identity, national origin, veteran or disability status. With Japanese roots going back over 100 years, our culture is founded on the values of our parent company expressed as the Hitachi Spirit:

Wa - Harmony, Trust, Respect

Makoto - Sincerity, Fairness, Honesty, Integrity

Kaitakusha-Seishin - Pioneering Spirit, Challenge