Product & Application Security Engineer
About Sungrow:
Sungrow North America is a leading provider of renewable energy solutions, specializing in the development and manufacturing of photovoltaic inverters and energy storage systems. The company offers a comprehensive range of products and services designed to optimize the performance and efficiency of solar power installations. Sungrow North America is known for its commitment to innovation, high-quality standards, and exceptional customer service, aiming to provide sustainable and reliable energy solutions to meet the growing demand for clean power.
The Position:
Sungrow Americas is seeking a Product and Application Security Engineer to execute security across the full product ecosystem - - spanning firmware, embedded systems, hardware-integrated applications, cloud services, and connected platforms.
This role is responsible for deep technical security execution across the entire product lifecycle, ensuring that security is embedded from device to cloud to application layer.
You will serve as the hands-on technical authority, working directly with engineering teams to identify, validate, and remediate vulnerabilities across software, firmware, hardware interfaces, and system integrations.
This is a high-depth, cross-domain role, ideal for an engineer who can move fluidly between code, devices, protocols, and cloud architectures.
Key Responsibilities
Full-Stack Product Security
- Perform security assessments across:
- Applications (web, APIs, backend services)
- Firmware and embedded systems
- Hardware interfaces and device communications
- Cloud-connected platforms and IoT ecosystems
- Conduct code review, firmware analysis, and system-level security testing
- Identify and validate vulnerabilities across the entire product attack surface
Secure Development & System Hardening
- Embed security into SDLC across software, firmware, and device-integrated systems
- Define and implement secure design patterns across:
- Application layers
- Device firmware
- Communication protocols
- Partner with engineering to ensure secure-by-design architecture decisions
Offensive Security & Validation
- Perform and support penetration testing, firmware analysis, and device-level assessments
- Validate findings from internal testing, third-party assessments, and teardowns
- Simulate real-world attack paths across device → network → cloud → application
Vulnerability Management
- Triage and validate vulnerabilities across software, firmware, and hardware layers
- Provide clear, actionable remediation guidance tailored to engineering teams
- Track and drive remediation aligned to risk and customer impact
Software & Hardware Supply Chain Security
- Support SBOM/HBOM analysis and validation
- Identify risks in third-party libraries, firmware components, and hardware dependencies
- Assist in mitigation strategies across supplier-integrated components
Emerging Technology & Advanced Systems Security
- Evaluate security risks in:
- IoT architectures and edge devices
- Cloud-native and distributed systems
- Agentic / autonomous system behaviors (where applicable)
- Help define guardrails for secure adoption of new technologies
Engineering Integration & Enablement
- Act as a trusted technical partner to software, firmware, and hardware teams
- Translate security findings into practical engineering fixes
- Provide real-time guidance during development, not just post-testing
- Contribute to a culture of security ownership within engineering
AI & Automation
- Experience leveraging AI/ML-assisted tools to improve security engineering outcomes, including:
- Code analysis and vulnerability detection
- Secure code generation and review validation
- Automation of repetitive security testing and triage tasks
- Ability to integrate AI capabilities into engineering workflows, including:
- API-based integrations with development and security tooling
- Automation of security processes within CI/CD pipelines
- Working understanding of security risks associated with AI-enabled systems, including:
- Prompt injection and model misuse
- Data exposure and model leakage risks
- Secure handling of sensitive data in AI workflows
- Practical ability to build lightweight automation and tooling (scripts, integrations, or pipelines) to scale security operations
Requirements
- 6–10+ years of experience in product security, embedded security, application security, or IoT security
- Hands-on experience across multiple layers of the stack, including:
- Application security (OWASP, API security)
- Firmware or embedded systems
- Network protocols and device communications
- Strong ability to perform:
- Manual code review
- Firmware analysis (static/dynamic)
- System-level threat analysis
- Experience with security tooling across SAST, DAST, SCA, firmware analysis, and network testing
- Working knowledge of modern architectures (cloud, microservices, device-cloud integration)
- Ability to leverage Ai..
Preferred
- Experience with industrial systems, energy, or OT environments
- Familiarity with hardware security concepts (secure boot, TPM, hardware roots of trust)
- Experience with reverse engineering or low-level debugging
- Exposure to SBOM/HBOM frameworks and supply chain security models (SLSA, etc.)
- Certifications such as OSCP, OSCE, OSWE, GXPN, or similar
Competencies
- Cross-Domain Depth: Comfortable moving between firmware, hardware interfaces, applications, and cloud
- Hands-On Operator: Executes, tests, breaks, and fixes—not just advises
- Systems Thinker: Understands how components interact across the full product lifecycle
- Engineering Credibility: Earns trust through technical accuracy and practical solutions
- Adaptable Problem Solver: Effective in complex, evolving product environments
Travel
Up to 10%
Work Location and Status:
- Full-time position
- Remote
- No visa sponsorship
Sungrow is an equal opportunity employer. Due to strong interests in this position, Sungrow will only reach out to those candidates who best meet the requirements. Thank you for your interest in Sungrow.
#LI-YL1