Security Software Engineer | Cryptography & Identity (Python)

About the job
This is a determined period project; estimated project duration - 3-4 months.

We are looking for a security-focused Backend Developer to bridge the gap between high-level application logic and deep-level cryptographic hardware. You will be responsible for building a mission-critical internal Python application that serves as the secure gateway between Azure AD, HashiCorp Vault, and Hardware Security Modules (HSM).

This is a role for a developer who understands that "security" isn’t just a checklist—it’s the core feature. You will work closely with the client’s lead technical expert to design and implement a modular architecture that handles everything from token exchange to master key derivation.

What you'll be doing:

• Architect & Develop: Build a robust Python backend to manage the lifecycle of X.509 certificates, AES, and DES keys.
• Identity Orchestration: Implement complex authentication flows, including OAuth2/Entra ID integration and token exchange for HSM access.
• Secure Integration: Establish secure communication via TLS-secured TCP to HashiCorp Vault and HSM environments.
• Cryptographic Operations: Design and implement key wrapping, unwrapping, and derivation logic (master keys to product-specific keys).
• Deployment: Containerize services using Docker and manage secure networking via reverse proxies (Traefik).

What you need to be successful:

Must-Haves:

• Strong Python Development: Proven experience building production-grade backend applications and consuming/implementing REST APIs.
• Identity & Access: Deep understanding of OAuth2, OpenID Connect, and integration with Azure AD / Entra ID.
• HSM Knowledge: Practical experience interfacing with Hardware Security Modules (e.g., Thales/Luna) via API/TLS protocols.
• Cryptography Fundamentals: Proficiency in AES-128/256, DES/TDES, and secure key lifecycle management.
• Infrastructure: Solid experience with Docker, Linux server operations, and TLS handshake mechanisms.

Nice-to-Haves:

• HashiCorp Vault: Experience with Vault operations, policy design, and secrets engines.
• Security Design: Experience in threat modeling and data-at-rest/transit protection.
• Network Security: Experience configuring ingress controllers/reverse proxies like Traefik.

On-site Work Expectations

The consultant should work on-site in Norway initially (first month or until fully productive). After that, remote work is acceptable; they will must travel when certain secure operations/testing will be required.