Staff Systems Engineer - Product Security New Munich (hybrid/onsite)

FERNRIDE is an equal opportunity employer.

What you will work on / How you will leave your footprint

• Establish and shape cybersecurity awareness and management across the product domain.
• Conduct threat analysis and risk assessment (TARA) — identify assets, model threat scenarios and attack paths, assess attack feasibility and impact, and determine cybersecurity assurance levels.
• Define and maintain attacker and asset models — adversary profiles, asset criticality classifications, and security domain boundaries.
• Specify security controls — defense-in-depth measures including network segmentation, access control, authentication, encryption, secure boot, and intrusion detection.
• Define technical security architecture — security domains, trust boundaries, secure communication channels, and key management strategy.
• Own supply chain security — evaluate third-party components for known vulnerabilities, define secure procurement requirements, and manage the SBOM.
• Define secure development lifecycle requirements and align with engineering teams on security-relevant coding practices and CI/CD pipeline security.
• Own cybersecurity risk acceptance — present residual threat risk arguments and recommend security posture conditions for product release.
• Define operational security measures — incident response procedures, security monitoring, update/patch management, and key rotation.
• Maintain cybersecurity concept documents and compliance matrices (Cyber Resilience Act, Radio Equipment Directive security clauses, AI Act security clauses).
• Coordinate with System Safety on threat landscape input for hazard analysis (cyber-physical attack paths), alignment of operational security and safety measures, and safety-security interactions at mode-transition boundaries.
• Coordinate with Design Assurance on shared technical architecture — fail-safe vs. fail-secure decisions, component selection criteria, and unified software development guidelines.
• Translate security controls into actionable implementation guidance for engineering teams; review designs for attack surface exposure.
• Define penetration test scope, attack simulation scenarios, and acceptance criteria for V&V; review and accept V&V evidence for cybersecurity claims.
• Coordinate with Quantum Systems core group on security aspects of the C3 system (MOSAIC) and multi-domain operation.
• Develop and maintain AI-assisted workflows for security analysis and compliance auditing.

What you bring to the team

• Deep expertise in cybersecurity management and engineering for embedded systems, with an engineering mindset and hands‑on attitude.
• Understanding of IT and embedded systems technology, and state‑of‑the‑art security controls and approaches.
• Experience with threat analysis and risk assessment (TARA), attacker modelling, and defense‑in‑depth architecture for resource‑constrained platforms.
• Experience with supply chain security — CVE tracking, SBOM management, and secure procurement requirements.
• Understanding of secure development lifecycle practices — code review, static analysis, dependency scanning, and CI/CD security gates.
• Strong collaboration skills — you work closely with safety engineers, hardware/software teams, and V&V to find feasible solutions that don’t cause unacceptable cybersecurity risks. Interest in AI‑assisted engineering workflows and willingness to shape how AI tools support security analysis and compliance management.
• Comfortable working with software development tools — GitHub, VS Code, Bazel, Markdown, and CI/CD pipelines — to operate and evolve the AI‑assisted methodology.

Nice to have

• Working knowledge of ISO 21434, IEC 62443 series, EU Cyber Resilience Act, Radio Equipment Directive (security aspects), and AI Act (security aspects).

What we offer @ FERNRIDE

• All‑day breakfast and unlimited drinks, fruits, and snacks.
• Select one of three options: (1) EUR 40 Spendit card/month (2) Wellpass (3) Mobility card.
• Company pension scheme.
• Team, department, and company events.
• 30 days of vacation.
• Up to six weeks of remote work in countries covered under the EHIC (European Health Insurance Card).