Software Threat Modelling Specialist (m/f/d)

Your tasks:

• Perform systematic threat-modelling for our software products; e.g. web applications, firmware implementations (UEFI, bootloader,…), relevant other software implementations of congatec products
• Apply established threat-modelling methods (e.g. STRIDE) and maintain architecture and data flow diagrams as a basis
• Identify and document threats, evil user stories/ attack paths, assumptions and corresponding security controls for our products
• Integrate threat-modelling into the product and engineering lifecycle (e.g. new features, major architectural changes, new integrations)
• Make recommendations and derive security requirements and acceptance criteria for user stories in close collaboration with Product Management and Engineering
• Support design reviews and influence security-related design decisions for our software architecture
• Assess identified threats in terms of business impact, customer impact and compliance requirements
• Prioritize risks together with Product Management and translate them into actionable items in product backlogs and roadmaps
• Define and track mitigation measures (e.g. hardening steps, design changes, additional security controls) and verify their effectiveness
• Develop and refine a threat modelling framework tailored to our software products, including reusable templates and patterns
• Conduct workshops and training on secure design and threat modelling techniques for development, architecture and product teams
• Act as a key advocate for “Security by Design” and “Product Security” across the organization

Your profile:

• Degree in Computer Science, Software Engineering, Information Security or a comparable qualification
• Several years of proven experience in threat-modelling software products or platforms
• Strong background in collaborating with product, architecture and software development teams in an agile environment
• In-depth knowledge of at least one threat modelling methodology (e.g. STRIDE, LINDDUN, PASTA) and its practical application in real projects
• Very good understanding of modern software architecture (e.g. CPU partitioning)
• Solid understanding of common security threats and vulnerabilities (e.g. OWASP Top 10)
• Familiarity with relevant standards and frameworks (e.g. OWASP ASVS, NIST, ISO 27001, IEC62443) in the context of software product security is an advantage
• Experience with at least one programming language (e.g. Java, C#, C++, Go, Python, JavaScript/TypeScript) to understand implementation details
• Hands-on experience with threat-modelling documentation practices and common tooling (e.g. Git, CI/CD pipelines, ticketing and documentation systems)
• Structured, analytical and solution-oriented way of working with strong communication skills towards technical and non-technical stakeholders
• Confident in running workshops and moderating discussions in cross-functional teams
• Fluent in English and German; additional languages are an advantage