Principal Med Device Security Engineer
Johnson & Johnson
5 days ago
Remote friendly (Elkhorn City, KY)
United States
IT
Principal Product Security Engineer (Remote or onsite Danvers, MA or Raritan, NJ; up to 10% travel)
Responsibilities:
- Implement J&J enterprise Product Security strategy/framework for the Heart Recovery medical device portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across the product lifecycle (pre- and post-market).
- Support product security requirements/design recommendations; complete quality documentation; perform/coordinate threat modeling and third-party penetration testing.
- Post-market: monitor vulnerabilities, support patch/remediation, respond to customer security questionnaires, and review security language in contracts.
- Define/implement secure boot, firmware integrity validation, anti-tamper, and cryptography for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Key management (PKI/HSMs/TPM/secure enclave), vulnerability assessment for wireless interfaces, Zero Trust device-to-cloud (mTLS/continuous auth), secure OTA updates (signing/rollback/supply-chain integrity).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification) and embedded security hardening (trust zones/HRoT), memory safety.
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; bachelorβs or equivalent.
- Threat modeling (without tools), CVSS 3.1+ risk assessments with STRIDE; technical security requirements; third-party testing/scanning.
- Regulatory submissions experience (FDA cybersecurity guidance, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- OS hardening, cloud security, SBOM generation, pre/post-market risk assessments, security architecture views.
- Secure coding/reviews; HIPAA/GDPR; HITRUST/ISO 27001 knowledge; autonomous leadership; communication/collaboration.
Preferred:
- Formal security audits; QNX/Yocto/Linux/Alpine; FDA/global regulatory submission familiarity; AWS/Azure web security (OWASP Top 10/blue teaming); cybersecurity pre-sales; software development; CISSP/CISM or other certs; MS/advanced degree.
Benefits (time off): Vacation, sick time, holiday/floating holidays, work/personal/family time, parental leave, bereavement, caregiver, volunteer, military spouse time-off.
Responsibilities:
- Implement J&J enterprise Product Security strategy/framework for the Heart Recovery medical device portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across the product lifecycle (pre- and post-market).
- Support product security requirements/design recommendations; complete quality documentation; perform/coordinate threat modeling and third-party penetration testing.
- Post-market: monitor vulnerabilities, support patch/remediation, respond to customer security questionnaires, and review security language in contracts.
- Define/implement secure boot, firmware integrity validation, anti-tamper, and cryptography for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Key management (PKI/HSMs/TPM/secure enclave), vulnerability assessment for wireless interfaces, Zero Trust device-to-cloud (mTLS/continuous auth), secure OTA updates (signing/rollback/supply-chain integrity).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification) and embedded security hardening (trust zones/HRoT), memory safety.
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; bachelorβs or equivalent.
- Threat modeling (without tools), CVSS 3.1+ risk assessments with STRIDE; technical security requirements; third-party testing/scanning.
- Regulatory submissions experience (FDA cybersecurity guidance, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- OS hardening, cloud security, SBOM generation, pre/post-market risk assessments, security architecture views.
- Secure coding/reviews; HIPAA/GDPR; HITRUST/ISO 27001 knowledge; autonomous leadership; communication/collaboration.
Preferred:
- Formal security audits; QNX/Yocto/Linux/Alpine; FDA/global regulatory submission familiarity; AWS/Azure web security (OWASP Top 10/blue teaming); cybersecurity pre-sales; software development; CISSP/CISM or other certs; MS/advanced degree.
Benefits (time off): Vacation, sick time, holiday/floating holidays, work/personal/family time, parental leave, bereavement, caregiver, volunteer, military spouse time-off.