Senior Product Security Consultant

About the Job:
CENSUS is a cybersecurity engineering powerhouse specializing in securing products and organizations. Our identity is rooted in professionalism, engineering excellence, a scientific mindset, and hacking demeanor. We are research-driven, delivering a diverse range of professional services. CENSUS is trusted to conduct high-impact product security engagements, helping clients secure their solutions from design to deployment, utilizing realistic and risk-informed approaches.

We are seeking a technically strong and detail-oriented Senior Product Security Consultant to join our Cybersecurity Engineering team. The ideal candidate will have extensive experience in product-level security verification, threat model analysis, and product-level testing. You will be responsible for evaluating the security posture of software and system products by validating architecture, threat models, and security controls. You will participate in structured evaluation projects aligned with industry and regulatory standards such as Common Criteria, ISO/IEC 27002, or equivalent frameworks.

Key Responsibilities:

• Review and validate security documentation (e.g., Security Targets, threat models, trust boundaries, asset inventories).
• Assess the completeness, accuracy, and risk coverage of various threat models and risk assessment frameworks (STRIDE, LINDDUN, OWASP, TARA, TAL, etc.).
• Verify security requirement traceability across assets, trust boundaries, and system functions.
• Conduct architectural and implementation-level reviews of security controls (e.g., encryption, access control, key management).
• Perform targeted security testing (white-box and black-box) on system APIs, client/mobile apps, backend services, and cloud infrastructure.
• Validate implementation of cryptographic controls, key lifecycle procedures, and secure communication protocols.
• Analyze secure deployment configurations across containerized platforms (Docker, Kubernetes), CI/CD pipelines, and cloud services.
• Deliver comprehensive, standards-aligned technical reports based on evaluation findings.
• Communicate product security risks clearly to both technical and non-technical audiences.

Minimum Qualifications:

• MSc or BSc in Computer Science, Electrical/Software Engineering, Cybersecurity, or a related technical discipline.
• 5+ years of experience in product security, software evaluation, or penetration testing.
• Proven ability to evaluate threat models, security requirements, and mitigation effectiveness.
• Strong technical writing and documentation skills in English.
• Excellent analytical skills and attention to detail.

Required Skills:

• In-depth understanding of security architecture and common system design patterns (e.g., API gateways, microservices, message queues, service meshes).
• Hands-on experience performing design-level security reviews and verifying implementation alignment with defined threat models.
• Familiarity with structured security frameworks such as Common Criteria, FIPS 140, ISO 15408, OWASP ASVS, and MASVS.
• Practical experience with security testing in diverse product environments (mobile, embedded, web/cloud, API).
• Knowledge of authentication, authorization, identity, and secrets management technologies (e.g., OAuth2, MFA, PKI, SSO, Cloud IAM, HashiCorp Vault).
• Proficiency in applied cryptography (e.g., mTLS, E2EE, AEAD, key derivation, key wrapping, remote attestation).
• Ability to identify security vulnerabilities across platforms (e.g., OWASP Top 10, misconfigurations, transport security gaps).
• Excellent documentation and communication skills, able to articulate technical risks and findings to diverse audiences.
• Problem solving skills, analytical thinking, and willingness to learn/grow.

Nice-to-Have Skills:

• Ability to read and analyze source code for logic flaws in one or more language families:
  • Mobile: Swift, Obj-C, Kotlin, Java, Dart, JavaScript
  • Web/Cloud: Java, Python, Go, PHP, Ruby, C#, JavaScript
  • Native/Embedded: C, C++
• Experience debugging or instrumenting applications across edge, embedded, or cloud platforms.
• Familiarity with Zero Trust architectures, enclaves, and confidential computing technologies.
• Exposure to fuzzing, symbolic execution, or static analysis techniques.
• Experience collaborating with distributed teams across different time zones and cultures.

This role presents an exciting opportunity to join a dynamic team and contribute to significant cybersecurity initiatives.