Risk Management

Primary Responsibilities

• SOUP (Software of Unknown Provenance) & Software Risk Analysis
• Support SOUP (Software of Unknown Provenance) risk evaluation across system components.
• Collaborate with software development teams to assess supplier-provided software, open-source libraries, and licensed components against security criteria.
• Document findings in alignment with IEC 81001-5-1 and ISO 14971, contributing to cybersecurity and risk management deliverables.
• Vulnerability Assessment & Impact Analysis
• Evaluate identified software issues, bugs, and third-party vulnerabilities to determine:
• Whether the vulnerable code is present, accessible, or exploitable within the system.
• The potential impact if exploited across safety, security, privacy, and business categories.
• The existence and effectiveness of mitigating security controls and residual risk if unmitigated.
• Synthesize this information into analysis with rationales, and/or issue tickets that support traceable decision-making and regulatory defensibility.
  

Secondary Responsibilities

• Product Security Collaboration
• Partner with Product Security Engineers to integrate software risk results into product-level risk analysis.
• Provide input to security architecture and design reviews, emphasizing code-level and component-level risk context.
• Coordinate with enterprise and OU-level product security vulnerability management teams to ensure consistency of analysis and mitigation tracking.
• Tools, Testing, and Reporting
• Utilize, develop, enhance, and/or integrate vulnerability scanning tools, SBOM analyzers, and source code analysis tests to support investigations.
• Participate in vulnerability triage reviews, code reviews, and security incident response evaluations.
• Author clear, traceable documentation (impact assessments, risk evaluations, mitigation summaries).
• Assist the SW team in shifting left by developing and/or integrating more proactive vulnerability detection and monitoring processes in the Software Development Lifecycle.
  

Must-Have: Minimum Requirements

• Bachelor’s degree in computer science, Computer Engineering, Software Engineering, or related discipline.
• 8+ Years of experience in embedded product software development, embedded product software security, or embedded product vulnerability analysis in medical devices or other regulated industries.
• Strong embedded software development experience in C++ / Python.
• Conversant with Operating Systems concepts.
  

Nice to Have

• Experience in software vulnerability triage, Software Security CVE impact assessment, or SOUP risk analysis.
• Understanding of embedded software, secure coding practices, and cryptographic principles.
• Familiarity with IEC 81001-5-1, ISO 14971, FDA Cybersecurity Guidance, and SBOM practices.
• Working knowledge of CVSS, CWE, and NVD scoring and categorization.
• Demonstrated critical thinking—ability to reason through ambiguity and complex technical systems.
• Strong sense of integrity, ownership, and accountability for technical judgment.
• Proven systems thinking—connecting software behavior to safety, performance, and clinical impact.
• Certifications such as CISSP, CSSLP, GICSP, or eJPT are beneficial.