Principal Med Device Security Engineer
Johnson & Johnson
5 months ago
Remote friendly (Nevada County, CA)
United States
IT
Principal Product Security Engineer (MedTech cybersecurity) β remote or onsite in Danvers, MA or Raritan, NJ; up to 10% travel.
Responsibilities
- Implement J&J enterprise Product Security strategy/framework across the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across the product lifecycle.
- Support development-phase activities: review requirements, recommend designs, complete quality documentation, threat modeling, coordinate third-party penetration testing, code analysis/security testing, and architecture reviews.
- Post-market: monitor vulnerabilities, support patch/remediation plans, respond to customer security questionnaires, and review security language in contracts.
- Define/implement secure boot, firmware integrity validation, anti-tamper; cryptographic protocols for data-at-rest/in-transit (FDA, NIST 800-175, FIPS 140-3, IEC 62443).
- Key management (PKI/HSM/TPM/secure enclave), vulnerability assessment for wireless (BT LE, NFC, WiβFi, 5G, RF).
- Zero Trust/device-to-cloud (mTLS, continuous authentication), secure OTA updates (signing, rollbacks, supply chain validation).
- Lead SDL: threat modeling, static/dynamic analysis, fuzz testing, formal verification; hardware security architecture; memory safety.
Required Qualifications
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling w/o tools; risk assessments (CVSS 3.1+, STRIDE); security requirements for embedded/web.
- Third-party penetration testing/vuln scanning; regulatory security submissions (FDA, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- RTOS hardening, cloud security principles, SBOM generation; pre/post-market risk assessments; security architecture views.
- Secure coding reviews; HIPAA/GDPR; HITRUST/ISO 27001.
- Autonomous leadership, project delivery, and communication/collaboration.
Preferred
- Formal security audits; OS experience (QNX, Yocto, Linux, Ubuntu, Alpine); global regulatory submission familiarity.
- Web/server hardening (AWS/Azure), OWASP Top 10, blue teaming; cybersecurity pre-sales; software development; CISSP/CISM; MS/advanced degree.
Benefits (time off)
- Vacation (120 hrs/yr), Sick time (40 hrs/yr; CO:48; WA:56), Holiday pay incl. floating holidays (13 days/yr), Work/Personal/Family time (up to 40 hrs/yr), Parental leave (480 hrs), Bereavement leave, Caregiver leave, Volunteer leave, Military spouse time-off.
Responsibilities
- Implement J&J enterprise Product Security strategy/framework across the Heart Recovery portfolio.
- Deliver security architecture, cryptographic controls, embedded protections, and threat mitigation across the product lifecycle.
- Support development-phase activities: review requirements, recommend designs, complete quality documentation, threat modeling, coordinate third-party penetration testing, code analysis/security testing, and architecture reviews.
- Post-market: monitor vulnerabilities, support patch/remediation plans, respond to customer security questionnaires, and review security language in contracts.
- Define/implement secure boot, firmware integrity validation, anti-tamper; cryptographic protocols for data-at-rest/in-transit (FDA, NIST 800-175, FIPS 140-3, IEC 62443).
- Key management (PKI/HSM/TPM/secure enclave), vulnerability assessment for wireless (BT LE, NFC, WiβFi, 5G, RF).
- Zero Trust/device-to-cloud (mTLS, continuous authentication), secure OTA updates (signing, rollbacks, supply chain validation).
- Lead SDL: threat modeling, static/dynamic analysis, fuzz testing, formal verification; hardware security architecture; memory safety.
Required Qualifications
- 8+ years Information Security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs or equivalent.
- Threat modeling w/o tools; risk assessments (CVSS 3.1+, STRIDE); security requirements for embedded/web.
- Third-party penetration testing/vuln scanning; regulatory security submissions (FDA, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- RTOS hardening, cloud security principles, SBOM generation; pre/post-market risk assessments; security architecture views.
- Secure coding reviews; HIPAA/GDPR; HITRUST/ISO 27001.
- Autonomous leadership, project delivery, and communication/collaboration.
Preferred
- Formal security audits; OS experience (QNX, Yocto, Linux, Ubuntu, Alpine); global regulatory submission familiarity.
- Web/server hardening (AWS/Azure), OWASP Top 10, blue teaming; cybersecurity pre-sales; software development; CISSP/CISM; MS/advanced degree.
Benefits (time off)
- Vacation (120 hrs/yr), Sick time (40 hrs/yr; CO:48; WA:56), Holiday pay incl. floating holidays (13 days/yr), Work/Personal/Family time (up to 40 hrs/yr), Parental leave (480 hrs), Bereavement leave, Caregiver leave, Volunteer leave, Military spouse time-off.