Principal Product Security Architect

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world! Principal Product Security Architect     Role Overview   We are seeking an experienced Principal Product Security Architect to join our Product Security team as a player-coach, combining hands-on technical leadership with strategic security guidance. This role will drive security excellence across our product portfolio through risk assessment, architecture reviews, threat modeling, and by establishing secure development patterns that enable engineering teams to build security in from the start. You will serve as a trusted advisor to engineering leadership while remaining deeply technical and creating tangible security artifacts that scale across the organization.     Key Responsibilities   Security Architecture & Risk Assessment   Partner with engineering teams early in the design process to embed security controls and minimize remediation costs   Conduct comprehensive architecture reviews for   major changes,   new features, services, and products, identifying security risks and recommending mitigations   Perform   Architecture reviews and   threat modeling exercises using frameworks such as STRIDE   and/ or attack trees to systematically identify and prioritize threats   Author risk assessment reports for executive leadership, product management, and engineering stakeholders, translating technical findings into business impact   Develop specific, timely, and thoughtful requirements and solution improvements that manage the risks identified in your assessment    Build and maintain reference architectures that demonstrate secure design patterns for common use cases (microservices, APIs, data pipelines, etc.)   Security At Scale   Create and publish secure code snippets, libraries, and design patterns that serve as "paved pathways" for development teams   Maintain a library of security patterns addressing common vulnerabilities (injection flaws, authentication weaknesses, cryptographic failures, etc.)   that developers can leverage as pre-built mitigations to classes of vulnerabilities   Develop comprehensive security guidance documentation, including secure coding standards, cryptography guidelines, and authentication/authorization patterns   Build reusable security components and frameworks that make secure development the path of least resistance   Establish security architecture principles and guardrails that balance security requirements with developer velocity   Product Security Operations   Actively use our products in realistic scenarios to identify security gaps, usability issues, and opportunities for security improvements   Provide actionable feedback to product and engineering teams on security features, controls, and user experience   Collaborate with Product Security Incident Response Team (PSIRT) on vulnerability analysis and remediation strategies   Support security assessment efforts including penetration testing, code reviews, and security tooling integration   Contribute to security compliance initiatives (FedRAMP,   NIST SSDF .) through architecture documentation and control validation   Leadership & Stakeholder Management   Represent Product Security in technical design reviews, architecture review boards, and risk committees   Serve as a security thought leader across engineering, product, and executive teams   Mentor security engineers and champion security champions within development teams   Build strong relationships with engineering leadership to influence security strategy and priorities   Present security architecture decisions, risk trade-offs, and recommendations to senior leadership   Drive cross-functional initiatives that improve security posture while maintaining development velocity   Qualifications   Requirements   1 3 + years of experience in information security with at least 5 years focused on product security, application security, or security architecture   Deep expertise in secure software   development   lifecycle (SDLC) practices and modern development frameworks   Proven experience conducting threat modeling and risk assessments for complex distributed systems   Strong understanding of common vulnerability classes (OWASP Top 10, CWE Top 25) and secure coding practices across multiple languages   Demonstrated ability to write production-quality code and create technical security guidance for engineering teams   Experience building   reference architectures, libraries, and automations that address security at scale   Excellent written and verbal communication skills with ability to tailor messaging for technical and executive audiences   Track record of influencing engineering practices and building trust with development teams   Preferred Qualifications   Experience with cloud-native architectures (AWS, Azure, GCP) and container security (Kubernetes, Docker)   as well as large-scale   private cloud deployments   Experience   assessing and securing   Java platforms, event driven architectures,   and   data security in multi-tenant SaaS solutions   Knowledge of cryptography, PKI, authentication protocols (OAuth 2.0, SAML, OIDC), and identity management   Background in security compliance frameworks ( NIST SP 800-53, NIST SSDF )   Certifications such as CISSP, CISSP-ISSAP/ TOGAF would be an added advantage.   Contributions to   open-source   security projects or published security research   Familiarity with Infrastructure as Code (Terraform) and Policy as Code (OPA)   Experience with security automation, SAST/DAST tools, and security testing frameworks   Security certifications such as CISSP, OSCP, GIAC, or similar credentials   Experience working in regulated industries (government, healthcare, financial services)   Skills   Communication:   Both verbal and written communication skills are key, as is the ability to explain   why   security improvements are needed   Languages : Proficiency in at least two of:   Java,   Python, Go,   React   Security Tools : Experience with threat modeling tools, SAST/DAST scanners, dependency checkers, and security testing frameworks   Architecture : Deep understanding of microservices, APIs, event-driven systems, and distributed   architectures   Security Controls : Expertise in authentication, authorization, encryption, secrets management, and secure communications   Methodologies : Threat modeling (STRIDE), risk frameworks (FAIR, NIST RMF), secure design principles (least privilege, defense - in -d epth, zero trust)