Principal Med Device Security Engineer
Johnson & Johnson
5 months ago
Remote
United States
IT
Principal Product Security Engineer (remote-based or onsite in Danvers, MA or Raritan, NJ; up to 10% travel)
Responsibilities:
- Implement J&J enterprise Product Security strategy/framework for the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across product lifecycle (pre- and post-market).
- Support development phases: review requirements, recommend designs, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, and conduct security testing (including code analysis).
- Post-market: monitor vulnerabilities, support patching/remediation, respond to customer security questionnaires, and review security language in contracts.
- Drive secure boot/firmware integrity/anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI/HSMs/TPM/secure enclave), vulnerability assessment for wireless (BLE/NFC/WiβFi/5G/RF), Zero Trust device-to-cloud (mTLS/continuous auth), and secure OTA updates (signing, rollback, supply chain validation).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones/HRoT); implement memory safety; respond to post-market questionnaire/contract needs.
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling (without tools), CVSS/STRIDE risk assessments, regulatory security submissions (FDA 2025 guidance, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Secure coding/reviews; third-party pentest/scanning; RTOS hardening; cloud security; SBOM generation; pre-/post-market risk assessments; security architecture views; data privacy (HIPAA/GDPR); HITRUST/ISO 27001; autonomy/leadership.
Preferred:
- Formal security audits; QNX/Yocto/Linux/Alpine; FDA/global submission familiarity; web/server hardening (OWASP Top 10, blue teaming); cybersecurity pre-sales; software development; CISSP/CISM; MS+.
Benefits (time off):
- Vacation (120 hrs/yr), sick time (40 hrs/yr; state-specific), holiday pay incl. floating holidays (13 days/yr), work/personal/family time (up to 40 hrs/yr), parental leave (480 hrs), bereavement (up to 240 hrs), caregiver leave (80 hrs), volunteer leave (32 hrs), military spouse time-off (80 hrs).
Responsibilities:
- Implement J&J enterprise Product Security strategy/framework for the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across product lifecycle (pre- and post-market).
- Support development phases: review requirements, recommend designs, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, and conduct security testing (including code analysis).
- Post-market: monitor vulnerabilities, support patching/remediation, respond to customer security questionnaires, and review security language in contracts.
- Drive secure boot/firmware integrity/anti-tamper; enforce crypto for data-at-rest/in-transit (FDA cybersecurity, NIST 800-175, FIPS 140-3, IEC 62443).
- Define key management (PKI/HSMs/TPM/secure enclave), vulnerability assessment for wireless (BLE/NFC/WiβFi/5G/RF), Zero Trust device-to-cloud (mTLS/continuous auth), and secure OTA updates (signing, rollback, supply chain validation).
- Lead Secure Development Lifecycle (threat modeling, static/dynamic analysis, fuzzing, formal verification); define hardware security architecture (trust zones/HRoT); implement memory safety; respond to post-market questionnaire/contract needs.
Required Qualifications:
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling (without tools), CVSS/STRIDE risk assessments, regulatory security submissions (FDA 2025 guidance, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- Secure coding/reviews; third-party pentest/scanning; RTOS hardening; cloud security; SBOM generation; pre-/post-market risk assessments; security architecture views; data privacy (HIPAA/GDPR); HITRUST/ISO 27001; autonomy/leadership.
Preferred:
- Formal security audits; QNX/Yocto/Linux/Alpine; FDA/global submission familiarity; web/server hardening (OWASP Top 10, blue teaming); cybersecurity pre-sales; software development; CISSP/CISM; MS+.
Benefits (time off):
- Vacation (120 hrs/yr), sick time (40 hrs/yr; state-specific), holiday pay incl. floating holidays (13 days/yr), work/personal/family time (up to 40 hrs/yr), parental leave (480 hrs), bereavement (up to 240 hrs), caregiver leave (80 hrs), volunteer leave (32 hrs), military spouse time-off (80 hrs).