Arm
Senior Software Engineer – Security Platforms
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Arm
Arm Holdings plc is a UK-based semiconductor and software design company founded in 1990. It specializes in developing the ARM architecture, a family of low-power, high-performance CPU designs that are widely used in mobile devices, embedded systems, and increasingly in data centers and AI applications. The company focuses on the design and licensing of semiconductor intellectual property (IP), particularly its instruction set architecture (ISA) and processor designs. Arm licenses its technology to semiconductor companies and original equipment manufacturers (OEMs), allowing them to integrate Arm-based processors into their products. Its offerings include optimized CPU architectures, software development tools, middleware, and security technologies that support its hardware designs. Arm's technology is embedded in over 99% of the world's smartphones and is expanding into automotive, IoT, and data center markets. The company has established a strong customer base, including major semiconductor firms like Qualcomm, Nvidia, and Intel, as well as smartphone manufacturers such as Oppo, Vivo, and Xiaomi.
Security at Arm
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- Arm's Application/Product Security philosophy emphasizes embedding security throughout the entire product lifecycle, from architecture inception to post-market monitoring.
- This includes using a Security Development Lifecycle (SDL) to identify and mitigate risks early in design, development, and verification.
- The company also employs a Product Security Incident Response Team (PSIRT) dedicated to identifying, assessing, and mitigating vulnerabilities, and leverages a Bug Bounty Program to uncover vulnerabilities with external expertise.
- Their risk philosophy involves defining security requirements based on product use and threats, utilizing structured threat modeling, and maintaining a Security Risk Assessment (SRA) as an active document.
Security Team
Arm actively hires for Product Security roles, as evidenced by public job postings such as Product Security Systems Architect (Job ID 2025-15044, posted) and Principal Product Security Manager (Job ID 2025-15051, posted). Each job description references SDL, security systems, and cross-functional coordination, with 'security systems' defined as 'the particular processes and platforms that engineering teams use to optimise security.' Gary Campbell leads Arm's central engineering team. However, information not publicly available includes the explicit AppSec team organizational model (centralized vs. embedded), AppSec team headcount, or an official team-size figure.
Key Initiatives
Arm's AppSec initiatives include embedding security throughout the SDL, from architecture inception to post-market monitoring, and defining security requirements for each project. They utilize structured threat modeling and a Security Risk Assessment (SRA). The Product Security Incident Response Team (PSIRT) is central to vulnerability management, acknowledging reports within two business days and assigning CVE IDs. The PSIRT process follows four phases: Discover, Analyze, Resolve, Communicate. Arm also operates a Bug Bounty Program to leverage external expertise. However, information not publicly available includes an explicit 'security champions' program, explicit SLAs, MTTRs, or ticketing ownership statements (e.g., 'critical findings within 30 days').
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.