Principal Product Security Engineer

A Day in the Life

• Lead and perform product and device-oriented cybersecurity-related activities ranging from incident response to vulnerability assessments and mitigation implementation.
• Develop and perform product-level intrusion detection activities.
• Lead product risk assessments in conjunction with product R&D teams and develop and recommend specific security controls for product/system wide security needs.
• Participate in the creation and testing of product security-related requirements and processes.
• Manage security-related deliverables for regulatory bodies, ensuring compliance with key standards / guidance documents.
• Evaluate and test security risks on programs across the entire development lifecycle, including market-released products.
• Support emerging cybersecurity certification initiatives.
• Maintain and update security documentation.
• Create and maintain threat models using STRIDE.

Must Have: Minimum Requirements

• An undergraduate (bachelors) or graduate degree in computer science, computer engineering, electrical engineering, or similar discipline.
• CISSP or similar certification, or sufficient demonstrated experience
• Experience in embedded devices vulnerability assessment, especially medical devices and Threat Modelling and risk scoring
• Formal education in cybersecurity and information assurance.
• Minimum 12-year experience & 4 years of technical, cybersecurity-related experience,
• Experience in analyzing security posture and vulnerability assessment
• experience in penetration testing, fuzz testing of Web, enterprise cloud and Desktop solutions, (Black box, gray box and Whitebox testing)
• Experience in static code analysis for security vulnerability
• Software Product Development experience, Programming skills in one or more of the following: C, C++, Python, Java, .NET, Go, Ruby and/or Scala
• Understanding of national and international laws, regulations, and policies related to regulated medical device cybersecurity
• Demonstrated understanding of information security practices, risk management processes, cybersecurity principles, and incident response methodologies

Nice to Have:

• Experience as an analyst, engineer, developer, or architect with core cybersecurity responsibility and knowledge in two or more of the following areas:
• Experience in leading application architecture reviews and threat assessments
• Cloud systems architecture and security
• Enterprise and local network infrastructure security
• Experience in code reviews and/or penetration testing
• Large-scale application architecture and security
• Mobile device application architecture and security
• Risk assessments and cybersecurity regulatory requirements
• Experience in static and dynamic code analysis tools and methodologies
• Medical devices and systems security experience
• Security incident management experience
• Log event management and searching experience (Splunk, Sentinel, or similar)
• In-depth OS systems-level experience within one or more of the following: Linux, Windows, Android, iOS
• Demonstrated understanding of networking (ports/protocols), firewalls, load balancers and IPS
• Expertise in Agile and can work with at least one of the common frameworks
• Experience in Healthcare industry or other heavily regulated industry.
• Understanding of national and international laws, regulations, and policies related to regulated medical device cybersecurity
• Experience with container technologies such as Docker, Kubernetes, Mesos, or Open Container Initiative (OCI)
• Demonstrated ability to develop and grow productive, trusting, and open relationships with a wide variety of constituencies.
• Demonstrated leadership and teamwork skills
• Demonstrated ability to communicate complexity in a clear manner
• Demonstrated experience interfacing with customers and other external stakeholders regarding cybersecurity system design and behavior
• Demonstrated strong analytical, problem-solving skills