Principal  Product Security Engineer

Role Summary

The Principal Product Security Engineer will implement J&J’s enterprise Product Security strategy and framework across the Heart Recovery portfolio of medical devices and supporting platforms. This role, within Abiomed (a Johnson & Johnson MedTech company), provides technical leadership in securing implantable and connected medical devices, delivering security architecture, cryptographic controls, embedded protections, and threat mitigation throughout the product lifecycle. It includes pre-market and post-market responsibilities, vulnerability monitoring, patching support, and responding to customer security questionnaires. Location options include Danvers, MA or Raritan, NJ, with remote or hybrid work and up to 10% travel.

Responsibilities

• Drive alignment to J&J Product Security’s overarching framework.
• Support the Product Security strategy and objectives within Heart Recovery.
• Define and implement secure boot, firmware integrity validation, and anti-tamper mechanisms to protect Heart Recovery Device firmware against unauthorized modification.
• Enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, and IEC 62443.
• Define and implement key management infrastructure (PKI, HSMs, TPMs, and secure enclave integration) for device identity, authentication, and software signing.
• Develop real-time vulnerability assessment techniques for detecting security flaws in wireless communications used in Heart Recovery’s medical devices.
• Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS and continuous authentication models into clinical applications.
• Oversee secure OTA update mechanisms, ensuring firmware rollbacks, code signing, and supply chain integrity validation.
• Lead Secure Development Lifecycle practices, integrating threat modeling, static/dynamic analysis, fuzz testing, and formal verification into the development process.
• Work with R&D Engineering to define hardware security architecture, including trust zones, HRoT, and secure microcontroller protections.
• Implement memory safety strategies to mitigate vulnerabilities in RTOS and bare-metal firmware.
• Respond to customer cybersecurity questionnaires and contractual language for post-market medical devices as needed.

Qualifications

• Required: 5+ years industry experience in Information Security
• Required: 3+ years experience with embedded systems, IOT, or medical device cybersecurity
• Required: Bachelor’s degree or equivalent
• Required: Experience generating Threat models without the use of threat modeling tools
• Required: Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
• Required: Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
• Required: Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
• Required: Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57
• Required: Knowledge of real-time operating systems hardening techniques
• Required: Knowledge of cloud security principles
• Required: Ability to generate SBOMs from software source code and binaries, firmware, and operating systems
• Required: Ability to generate pre-market and post-market risk assessments leveraging STRIDE and SBOM scans
• Required: Ability to create security architecture views for medical devices and communicate system boundaries, data flows, and risk mitigation
• Required: Ability to translate technical security requirements into solutions and provide secure coding recommendations
• Required: Data privacy experience, including HIPAA and GDPR
• Required: Understanding of HITRUST & ISO 27001
• Required: Ability to work autonomously and proactively seek product security opportunities
• Required: Ability to lead large projects and track to security-focused project plans
• Required: Ability to create and deliver cybersecurity awareness campaigns and communications
• Required: Creative problem-solving skills and strong collaboration
• Required: Excellent communication and ability to influence across levels and functions

Skills

• Experience leading or participating in formal security audits
• Experience with operating systems such as QNX QOS, Yocto
• Familiarity with FDA and/or other global regulatory cybersecurity guidance and submission processes
• Experience with web applications and server hardening (AWS, Azure) including OWASP Top 10
• Experience in cybersecurity pre-sales
• Software development experience
• CISSP, CISM, or other security certification
• MS and/or advanced degree

Education

• Bachelor’s degree or equivalent

Additional Requirements

• Up to 10% travel