Senior Product Security Engineer

This is a fully remote position, open to applicants in United States.

📋 Description

• Ensure adherence to FDA cybersecurity guidelines and regulations while collaborating with Cybersecurity, Regulatory, Quality, and Systems Development teams.

• Carry out thorough security risk assessments, including Cybersecurity Risk Assessments (CSRAs), to pinpoint vulnerabilities and threats across device hardware, firmware, software, and cloud components.

• Develop and uphold device-specific cyber threat models, considering patient safety, data privacy, and operational continuity.

• Exhibit knowledge of Software Bill of Materials (SBOM) and effectively convey technical details.

• Generate and sustain cybersecurity documentation for both pre- and post-market activities, ensuring alignment with regulatory standards.

• Create comprehensive data flow diagrams to aid in the threat modeling process.

• Engage in design reviews of medical device architectures and implementations, offering actionable suggestions for system security requirements.

• Conduct and support vulnerability analysis while coordinating the vulnerability management program, which includes scanning, patching, and remediation for medical devices.

• Utilize and maintain application and threat detection tools (such as Veracode, Snyk, GitLab, or equivalent) to identify security flaws early in the Software Development Life Cycle (SDLC).

• Assist in investigating and resolving device-related security incidents, minimizing their impact and preventing future occurrences.

• Collaborate with the Privacy Team to ensure compliance with HIPAA, GDPR, and other data protection regulations.

⛳️ Requirements

• Bachelor’s degree in Computer Science, Information Security, or a related discipline.

• Over 6 years of experience in information security, specifically focusing on product security for medical devices.

• Strong grasp of security principles, methodologies, and tools relevant to the Product Development Life Cycle (PDLC) and Software Development Life Cycle (SDLC).

• Proven experience in conducting Cybersecurity Risk Assessments (CSRAs), vulnerability analysis, and using contemporary threat detection tools (such as Veracode, Snyk, GitLab, or similar).

• Knowledge of NIST Cybersecurity Framework, NIST SP 800-171, and in-depth familiarity with controls/frameworks like NIST SP 800-53 (Security and Privacy Controls), NIST SP 800-92 (Log Management), and NIST SP 800-63 (Digital Identity Guidelines).

• Hands-on experience in vulnerability identification and threat modeling within the healthcare sector using methodologies such as STRIDE.

• Experience working in a regulated environment (FDA, HIPAA, GDPR, and international regulatory frameworks).

• Background in medical device hardware or Software as a Medical Device (SaMD).

• Familiarity with medical device software development and regulatory processes.

• Exceptional problem-solving, analytical, and communication skills, with the ability to adopt a multi-siloed approach.

• Capability to comprehend interdependencies among teams across mobile applications, hardware, and cloud environments.

• Demonstrated experience in supporting 510(k) submissions, emphasizing product security documentation, risk assessments, and regulatory compliance.

🏝️ Benefits

• Health insurance

• 401(k) matching

• Flexible work hours

• Professional development opportunities