Software Engineer-Information Security (Open Source Compliance) IRC286485

Description

Engineering & Automation (Embedded + SDLC):

• Automate audits of binaries and source for license usage; run SCA and produce SBOMs (CycloneDX/SPDX).
• Standardize reproducible build engineering with CMake and Clang/LLVM; manage dependencies via Conan and Snapcraft(where applicable).
• Govern artifacts in JFrog Artifactory with dependency health checks via JFrog Xray.
• Operationalize GitOps (GitHub/GitLab) and design CI/CD pipelines using GitHub Actions / GitLab CI.

Security Testing & Vulnerability Management:

• Integrate SAST/DAST/IAST into embedded and app pipelines (C/C++, C #, Python, JavaScript, XML); enforce gates, SLAs, and remediation workflows.
• Triage third-party vulnerabilities and assess results from CodeQL, SonarQube, and related scanners; drive fix plans across firmware and supporting services.

Open Source Candidates & Revalidation:

• Create, publish, and continually revalidate Open Source Candidates (GPL/MPL and others) with reproducible build scripts, license texts, copyright notices, and end-user instructions.
• Triage and resolve revalidation build errors (toolchain, linking, dependency, packaging), ensuring public distribution materials remain accurate.

Requirements

Collaboration & Stakeholder Management:

• Work cross-functionally with engineering teams, Legal, and senior leadership for status updates, new requirements intake, and policy alignment; engage external partners (ODMs, vendors, consultants) to meet compliance obligations.
• 7+ years in embedded software development (Linux kernel, device/firmware), plus 2+ years in a security-focused role (DevSecOps/AppSec/Compliance).
• Licensing & Policy: Deep, practical familiarity with GPL/LGPL/MPL/MIT/Apache requirements (attribution, source publication, relinking, derivative work analysis) and enforcement throughout the SDLC.
• Languages & Stacks: Strong in C, C++, C#; proficient in Python/JavaScript for automation/tooling; confident with XML/JSON/YAML for configs and SBOMs.
• Build, Packaging & Artifacts: Proficient with CMake, Clang/LLVM, cross compilers; package with Conan/Snapcraft; govern artifacts in JFrog Artifactory with risk analysis via JFrog Xray.
• CI/CD & GitOps: Hands-on with GitHub Actions / GitLab CI and GitOps practices (GitHub/GitLab) for policy as code and environment orchestration.
• Testing & Vulnerability Triage: Skilled at integrating and interpreting SAST/DAST/IAST results; practical experience with CodeQL, SonarQube, ScanCode, and SBOM tooling (SPDX/CycloneDX).
• Data & Communication: Able to build Power BI dashboards, write SQL, and translate complex technical topics into clear narratives for technical and non-technical audiences.
• Documentation & Training: Exceptional writing quality for SOPs, Working Instructions, and public distribution artifacts; experienced trainer for OSS/GRC topics.
• Collaboration: Comfortable influencing cross-functional roadmaps and mediating license/security trade-offs with engineering, Legal, and external partners.
• Bachelor’s or Master’s in Computer Engineering, Electrical Engineering, Computer Science, or a closely related field. Security certifications (e.g., CISSP, CSSLP) are a plus.

Job responsibilities

Compliance & Governance:

• Conduct formal risk assessments to identify threats and vulnerabilities and recommend mitigating controls.
• Ensure compliance with open source licenses and applicable standards (e.g., ISO 27001, ISO/IEC 5230:2020, SOC 2) in partnership with Engineering, Legal, and external stakeholders.
• Evaluate proposed libraries before integration (GPL/LGPL/MPL/MIT/Apache), document obligations (attribution, source offer, relinking), and guide compliant implementation patterns (static vs. dynamic link, dual license scenarios).

Documentation, Training & Enablement:

• Author/update SOPs, Working Instructions, developer-facing runbooks, and public distribution READMEs.
• Develop and deliver open source and product-based GRC training to employees and contractors.
• Communicate complex build processes, package management, and license implications to technical and non-technical audiences.

Incident Response & Continuous Improvement:

• Lead incident response (identify, contain, recover), conduct post-incident reviews, and recommend program and control improvements.
• Monitor industry trends and best practices in Open Source License Compliance; propose program updates proactively.Data & Reporting

• Publish compliance/security dashboards in Power BI; use SQL to analyze SBOM coverage, license risk, vulnerability posture, and release readiness for executive decision-making.

 

GlobalLogic estimates the starting pay range for this role to be performed in Dallas, TX, to be $120,000 to $130,000, and reflects base salary only. This pay range is provided as a good-faith estimate, and the amount offered may be higher or lower. GlobalLogic takes many factors into consideration in making an offer, including candidate qualifications, work experience, operational needs, travel and onsite requirements, internal peer equity, prevailing wage, responsibilities, and other market and business considerations.

What we offer

Culture of caring. At GlobalLogic, we prioritize a culture of caring. Across every region and department, at every level, we consistently put people first. From day one, you’ll experience an inclusive culture of acceptance and belonging, where you’ll have the chance to build meaningful connections with collaborative teammates, supportive managers, and compassionate leaders. 

Learning and development. We are committed to your continuous learning and development. You’ll learn and grow daily in an environment with many opportunities to try new things, sharpen your skills, and advance your career at GlobalLogic. With our Career Navigator tool as just one example, GlobalLogic offers a rich array of programs, training curricula, and hands-on opportunities to grow personally and professionally.

Interesting & meaningful work. GlobalLogic is known for engineering impact for and with clients around the world. As part of our team, you’ll have the chance to work on projects that matter. Each is a unique opportunity to engage your curiosity and creative problem-solving skills as you help clients reimagine what’s possible and bring new solutions to market. In the process, you’ll have the privilege of working on some of the most cutting-edge and impactful solutions shaping the world today.

Balance and flexibility. We believe in the importance of balance and flexibility. With many functional career areas, roles, and work arrangements, you can explore ways of achieving the perfect balance between your work and life. Your life extends beyond the office, and we always do our best to help you integrate and balance the best of work and life, having fun along the way!

High-trust organization. We are a high-trust organization where integrity is key. By joining GlobalLogic, you’re placing your trust in a safe, reliable, and ethical global company. Integrity and trust are a cornerstone of our value proposition to our employees and clients. You will find truthfulness, candor, and integrity in everything we do.

About GlobalLogic

GlobalLogic, a Hitachi Group Company, is a trusted digital engineering partner to the world’s largest and most forward-thinking companies. Since 2000, we’ve been at the forefront of the digital revolution – helping create some of the most innovative and widely used digital products and experiences. Today we continue to collaborate with clients in transforming businesses and redefining industries through intelligent products, platforms, and services.