Principal Med Device Security Engineer
Johnson & Johnson
5 days ago
Remote friendly (Slab City, NH)
United States
IT
Job Description (Principal Product Security Engineer)
Responsibilities:
- Implement J&Jβs enterprise Product Security strategy/framework across the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded security protections/controls, and threat-mitigation techniques across the product lifecycle (pre- and post-market).
- During development: review security requirements, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, conduct software architecture reviews, and perform code/security testing.
- Post-market: monitor vulnerabilities, support patching/remediation, respond to customer security questionnaires, and review security contractual language.
- Drive framework alignment; define secure boot/firmware integrity/anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cyber, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI/HSM/TPM/secure enclave); enable vulnerability assessment for wireless links; implement Zero Trust (mTLS/continuous auth); oversee secure OTA (signing, rollback, supply-chain validation).
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling (STRIDE) and risk assessment (CVSS 3.1+); security requirements writing for embedded/web.
- Third-party penetration testing/vuln scanning; regulatory submission experience (FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Knowledge of OS hardening, cloud security, SBOM generation, SCA via SBOM scans; security architecture views for medical devices.
- Secure coding reviews/recommendations; HIPAA/GDPR; HITRUST/ISO 27001.
- Autonomy, leadership, project tracking, strong communication/collaboration.
Preferred Qualifications:
- Security audits; QNX/QoS, Yocto, Linux (Ubuntu/Alpine); global regulatory process familiarity; web/server hardening (AWS/Azure, OWASP Top 10, blue teaming); cybersecurity pre-sales; software dev; CISSP/CISM; MS/advanced degree.
Benefits (time off): Vacation (120 hrs/yr); Sick time (40 hrs/yr; CO 48; WA 56); Holiday pay incl. floating holidays (13 days/yr); Parental leave (480 hrs in one year).
Responsibilities:
- Implement J&Jβs enterprise Product Security strategy/framework across the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded security protections/controls, and threat-mitigation techniques across the product lifecycle (pre- and post-market).
- During development: review security requirements, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, conduct software architecture reviews, and perform code/security testing.
- Post-market: monitor vulnerabilities, support patching/remediation, respond to customer security questionnaires, and review security contractual language.
- Drive framework alignment; define secure boot/firmware integrity/anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cyber, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI/HSM/TPM/secure enclave); enable vulnerability assessment for wireless links; implement Zero Trust (mTLS/continuous auth); oversee secure OTA (signing, rollback, supply-chain validation).
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling (STRIDE) and risk assessment (CVSS 3.1+); security requirements writing for embedded/web.
- Third-party penetration testing/vuln scanning; regulatory submission experience (FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Knowledge of OS hardening, cloud security, SBOM generation, SCA via SBOM scans; security architecture views for medical devices.
- Secure coding reviews/recommendations; HIPAA/GDPR; HITRUST/ISO 27001.
- Autonomy, leadership, project tracking, strong communication/collaboration.
Preferred Qualifications:
- Security audits; QNX/QoS, Yocto, Linux (Ubuntu/Alpine); global regulatory process familiarity; web/server hardening (AWS/Azure, OWASP Top 10, blue teaming); cybersecurity pre-sales; software dev; CISSP/CISM; MS/advanced degree.
Benefits (time off): Vacation (120 hrs/yr); Sick time (40 hrs/yr; CO 48; WA 56); Holiday pay incl. floating holidays (13 days/yr); Parental leave (480 hrs in one year).