Generac
Website:
generac.com
Job details:
Primary Purpose
The Senior Product Security Assessor is responsible for performing structured, risk-based security assessments across Generac products and platforms, spanning backend cloud services, DevSecOps pipelines, and IoT devices. This role is assessment-focused rather than build-focused, combining deep technical understanding with strong analytical and documentation skills. The assessor evaluates architectures, implementations, and controls against established security requirements and standards, particularly IEC 62443, and provides clear, actionable remediation guidance to engineering teams. This role aligns with the offshore Product Security engagement model and supports scalable, repeatable security reviews across the portfolio.
Major Responsibilities
•Conduct end-to-end product security assessments for cloud services, backend systems, DevSecOps pipelines, and IoT devices against defined security requirements.
•Evaluate security controls across application, infrastructure, device, and pipeline layers to identify gaps, weaknesses, and non-conformances.
•Perform assessments aligned to IEC 62443 and internal Generac product security standards.
•Clearly document assessment scope, findings, compliance status, and overall security posture.
•Perform structured threat modeling for identified findings and architectural designs across cloud, device, and DevSecOps domains.
•Assess risk severity and potential impact, considering exploitability, exposure, and business context.
•Translate technical findings into clear risk statements that engineering and product teams can act upon.
•Assess backend cloud architectures, including containerized workloads and orchestrated environments, for secure configuration, network segmentation, identity controls, and data protection.
•Review container security practices such as image scanning, runtime protections, and least-privilege configurations.
•Evaluate cloud logging, monitoring, and incident detection capabilities to ensure adequate security observability.
•Assess CI and CD pipelines to ensure security controls are integrated and consistently applied.
•Review use of SAST, DAST, SCA, and infrastructure-as-code scanning within development workflows.
•Evaluate secrets management, key handling, and signing processes used in build and release pipelines.
•Identify gaps in automation, enforcement, or visibility that could introduce security risk.
•Conduct IoT device security assessments covering hardware, firmware, and embedded software.
•Evaluate secure boot, firmware signing, credential storage, encryption, and update mechanisms.
•Assess protections against physical tampering, reverse engineering, and unauthorized firmware modification.
•Review device compliance against IEC 62443-based device security requirements.
•Produce clear, structured assessment reports that document findings, risk ratings, and compliance gaps.
•Provide prioritized, risk-informed remediation recommendations that are practical and actionable.
•Support engineering teams by clarifying findings, answering technical questions, and validating remediation evidence.
•Execute assessments in alignment with defined Product Security engagement models and timelines.
•Participate in regular checkpoints, status updates, and structured feedback sessions.
•Ensure consistency and quality across assessments through standardized templates and methodologies.
Education
Bachelor’s degree in Computer Science, Engineering, Cybersecurity, or a related technical field. Equivalent practical experience is also valued.
Work Experience
• 5+ years of experience in product security, cloud security, DevSecOps, or IoT security roles.
• 5+ years of IT audit experience.
•The ability to manage up to 10 concurrent, complex audits.
•Hands-on experience performing threat modeling, vulnerability assessments, and security reviews.
•Strong understanding of backend cloud architectures, container platforms, and CI and CD pipelines.
•Experience with IEC 62443 compliance assessments or similar industrial cybersecurity standards in production environments.
•Experience conducting security assessments of IoT or embedded devices, including firmware analysis and hardware security evaluation.
•Familiarity with DevSecOps tooling such as SAST, DAST, SCA, and infrastructure-as-code scanning platforms.
•Experience with cloud security posture management in AWS, Azure, or GCP environments.
Knowledge / Skills / Abilities
•Working knowledge of embedded systems, firmware security, and IoT security principles.
•Mastery of security standards and frameworks such as IEC 62443, ISO 27001, and NIST 800-53.
•Ability to produce clear, concise, and high-quality security assessment documentation.
• Clear communicator who can work across engineering, product, and security stakeholders.
Certification / License
Certifications such as CISSP, CCSP, CSSLP, or cloud security certifications are helpful but not required.
Click on Apply to know more.