Product Security Analyst

In the role of a seasoned Product Security Incident Analyst, your primary responsibility will be to oversee and orchestrate the response efforts concerning security incidents and vulnerabilities associated with Valeo's automotive products and systems (including ECUs, telematics units, and in-vehicle software).Your expertise will be crucial in guiding the team towards detecting genuine product-impacting threats and vulnerabilities, and implementing effective mitigation strategies by delivering real-time analysis during incident handling. You will also provide advice and training to empower engineering teams in recognizing, preventing, and addressing security threats within our product lifecycle.

Responsibilities:

● Execute, document, and meticulously follow each stage of the Product Security Incident

Response Lifecycle, starting from initial detection of a product-related vulnerability to its

resolution and customer/regulator communication.

● Make real-time decisions to swiftly mitigate product risks, safeguarding both Valeo and its

customers from exploits in vehicle systems.

● Conduct triage for automotive security incidents, product vulnerabilities, and customer-reported

issues to ascertain their scope, urgency, and potential impact on vehicle security and safety.

● Provide timely and clear executive updates, elucidating the identified risks to key stakeholders

(internal engineering, legal, external OEMs/customers, and regulatory bodies) during and after

product security incidents.

● Validate customer notifications and/or provide authoritative security guidance for customers.

● Perform deep-dive incident analysis on affected products, generate reports, and deliver briefings

that communicate automotive threat landscape trends to enhance product design and security

controls.

● Develop and maintain comprehensive Incident Response Plans tailored to specific product

platforms and electronic control units (ECUs).

Required / Minimum Qualifications:

● A minimum of three years of hands-on experience encompassing various facets of incident

response, vulnerability analysis, or product security research.

● Direct experience with security investigations, analysis, and response concerning embedded

systems, IoT devices, or automotive electronic control units (ECUs).

● Hands-on investigative experience in security incidents and vulnerabilities related to automotive

software, hardware, and communication protocols (e.g., CAN, LIN, Ethernet).

● Proven capability to effectively communicate complex and technical product security matters to

diverse audiences, both verbally and in writing, using a clear, authoritative, and actionable

approach.

● Possesses a robust foundational understanding of embedded security concepts, covering

operating systems (e.g., QNX, embedded Linux), hardware security modules (HSMs), vehicle

networks, and basic cryptography as applied to ECUs.

Additional / Preferred Qualifications:

● Experience in Source Code Analysis (SAST/DAST) methodologies, and Free & Open Source

Software (FOSS) security risk analysis as applied to automotive projects.

● Possession of certifications such as Certified Incident Responder, GCIH, CISSP, CSSLP, or

CEH/OSCP, will be a plus.

● Experience handling incidents related to DDoS attacks, vehicle-to-everything (V2X)

communication, telematics units, in-vehicle infotainment (IVI), or powertrain ECUs.

● Familiarity with automotive industry standards and regulations such as ISO/SAE 21434 (Road

vehicles - Cybersecurity engineering) and UN R155 (Cyber security and cyber security

management system).