Product Security Lead – Code Signing & Secure Software for Hardware Platform Solutions – Experis Canada

Product Security Lead – Code Signing & Secure Software for Hardware Platform Solutions

Contract Duration: 1 year, renewable

Work Location: Remote Work in Canada

Our client is a leader in design, manufacturing solutions. Within Hardware Platform Solutions (HPS), our engineering teams design and deliver advanced computing, storage, and platform technologies that require strong product security controls across the software development, build, signing, and release lifecycle. This role is intended to strengthen that capability by providing dedicated ownership for code signing services and the supporting controls required to maintain a secure software chain of custody.

Position Summary

We are seeking an experienced Product Security Lead to join the IT Support and Enablement function supporting the Hardware Platform Solutions (HPS) organization. In this role, you will take ownership of the code signing operating model used by HPS Software Engineering teams and drive its deployment, support, governance, and scale-up across product programs and design centers.

Serving as the key security and technical liaison across Information Security, DevOps, Software Engineering, infrastructure teams, and external vendors, you will ensure that our signing infrastructure, certificates, signing packages, key management practices, and supporting processes are secure, supportable, and production-ready. You will also help engineering teams standardize approved signing methods across Linux and Windows environments while addressing operational constraints, access controls, and customer-driven product security requirements.

Core Responsibilities

1. Code Signing Architecture & Governance

Own Lifecycle Strategy: Design, roll out, and govern the HPS code signing capability, supporting a secure software chain of custody from initial build through final production release.

Standardize Workflows: Establish and maintain approved signing standards and integration patterns across both Linux and Windows development environments.

Develop Operational Frameworks: Formulate standard operating procedures (SOPs), governance controls, and self-service onboarding guidance for engineering teams consuming signing services across multiple product programs and global design locations.

2. Certificate and Key Management Infrastructure

Coordinate Asset Provisioning: Manage the lifecycle, provisioning, and distribution of signing certificates, cryptographic keys, signing policies, and signing packages.

Platform Ownership: Partner with Enterprise Information Security and external vendors to deploy, configure, and maintain AppViewX PKI+ and associated hardware security module (HSM) backed signing services.

Traceability & Auditing: Guarantee absolute integrity, control, and traceability of signing assets and workflows to ensure HPS software releases align with corporate policy and stringent customer security requirements.

3. Security Operations, Risk, & Tool Integration

Mitigate Operational Risks: Identify, assess, and resolve security risks associated with signing deployments, including privilege management, secure package distribution, and cryptographic verification gaps.

Triage Tooling Gaps: Track and address limitations in unsupported or non-standard engineering tools (such as sbsign, intel-pfr-signing-utility, socsec, Windows .bin signing, and Windows OpenSSL support), defining compliant alternative paths.

Secure Access Control: Collaborate with security architects to define support models that eliminate unnecessary elevated administrative access and align with enterprise zero-trust principles.

4. Engineering Enablement & Cross-Functional Collaboration

Technical Liaison: Serve as the primary technical enablement lead for Software Engineering and DevOps teams, troubleshooting package integration failures, API consumption issues, and HSM-related workflow blocks.

Drive Service Maturity: Lead proof-of-concept (POC) evaluations, transition frameworks, and operational readiness reviews to seamlessly transition capabilities from pilot status to scalable, production-grade enterprise services.

5. Future-State Security Capability & Identity Roadmaps

Define Device Identity Roadmap: Participate in defining the long-term architecture for secure product identities, hardware attestation, and localized certificate authority (CA) infrastructures.

Translate Stakeholder Requirements: Partner with product management and engineering leadership to translate evolving customer security needs into scalable security capabilities.

Technical Qualifications

Education and Experience

Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Software Engineering, or a related technical field.

7+ years of experience in product security, application security, PKI, code signing infrastructure, platform security, or DevSecOps within active engineering or R&D environments.

Demonstrated experience operating in complex matrix environments, effectively bridging the technical gaps between enterprise IT security policies and agile software developer workflows.

Required Technical Skills

PKI & Key Management: Deep conceptual and practical understanding of Public Key Infrastructure (PKI), certificate lifecycle management, cryptographic hashing, key escrow, and secure release governance.

Signing Toolchains: Hands-on experience implementing and troubleshooting developer signing workflows, specifically using OpenSSL (Linux/Windows) and Microsoft Signtool.

HSM & KMS Platforms: Direct experience with HSM-integrated signing systems, PKCS#11 API integrations, and vendor-managed signing controllers (such as AppViewX PKI+).

Systems & Automation Environment: Working knowledge of modern CI/CD pipelines (e.g., Azure DevOps, Jenkins, GitLab), automated test environments, and package validation processes.

Technical Documentation: Strong ability to write high-quality, clear operational playbooks, developer guides, and compliance standards.

Strongly Preferred Qualifications

Background supporting security controls for embedded systems, firmware development (e.g., AMI BIOS/BMC toolchains), or hardware component signing.

Familiarity with secure boot architectures and device identity frameworks (such as iDevID, IEEE 802.1AR attestation, and dedicated/subordinate CA hierarchies).

Industry-recognized security credentials, such as CISSP, CSSLP, or vendor-specific PKI/HSM engineering certifications.

Soft Skills and Working Style

Collaborative Communicator: Ability to build strong consensus and drive security standards across highly diverse engineering, IT, operations, and external vendor teams.

User-Centric Pragmatism: A track record of balancing rigorous security compliance with developer usability, designing solutions that minimize friction and preserve engineering velocity.

Sovereign Problem Solver: Comfortable navigating strict architectural constraints where automated standard enterprise agents are blocked or restricted.

Role Impact

This role will be a key enabler for HPS product security maturity by helping establish, operationalize, and scale the code signing and supporting identity capabilities needed for secure software release processes. Success in this position will improve trust in the software chain of custody, reduce deployment friction for engineering teams, and create a stronger foundation for future product security controls across the HPS portfolio.