Principal  Product Security Engineer

Role Summary

Principal Product Security Engineer to join Johnson & Johnson MedTech, focusing on securing the Heart Recovery portfolio and coordinating across pre-market and post-market processes. Based in Danvers, MA or Raritan, NJ, with up to 10% travel. Responsible for delivering security architecture, cryptographic controls, embedded system protections, threat mitigation, and coordinating third-party testing to ensure regulatory-compliant security across the product lifecycle. This role includes post-market responsibilities such as monitoring vulnerabilities, patching, responding to customer security questionnaires, and reviewing security language in contracts.

Responsibilities

• Drive alignment to J&J Product Security’s overarching framework.
• Support the Product Security strategy and objectives within Heart Recovery.
• Define and implement secure boot, firmware integrity validation, and anti-tamper mechanisms to protect device firmware.
• Enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring regulatory compliance.
• Define and implement key management infrastructure (PKI, HSMs, TPMs, secure enclave integration) for device identity and software signing.
• Develop real-time vulnerability assessment techniques for wireless communications used in Heart Recovery devices.
• Implement Zero Trust security for device-to-cloud connectivity, including mTLS and continuous authentication.
• Oversee secure OTA update mechanisms, including firmware rollbacks, code signing, and supply chain integrity validation.
• Lead Secure Development Lifecycle practices (threat modeling, static/dynamic analysis, fuzz testing, formal verification).
• Define hardware security architecture with trust zones and HRoT; implement memory safety strategies for RTOS/bare-metal firmware.
• Respond to customer cybersecurity questionnaires and contractual language for post-market devices as needed.

Qualifications

• Required: 5+ years of experience in Information Security.
• Required: 3+ years of experience with embedded systems, IoT, or medical device cybersecurity.
• Required: Bachelor’s degree or equivalent.
• Required: Experience generating threat models without threat modeling tools; risk assessments using CVSS 3.1+ and STRIDE; ability to write technical security requirements for embedded systems and web platforms.
• Required: Experience with third-party penetration testing, vulnerability scanning, CVSS; knowledge of FDA cybersecurity guidance, EU MDR, NIST 800-53, IMDRF, AAMI TIR57.
• Required: Knowledge of RTOS hardening, cloud security principles, SBOM generation from code/binaries/firmware/OS; ability to perform pre-market and post-market risk assessments; ability to create security architecture views for medical devices.
• Required: Ability to translate security requirements into solutions; secure coding recommendations and reviews; data privacy experience (HIPAA, GDPR); understanding of HITRUST & ISO 27001; autonomous work style; strong leadership and communication skills.
• Preferred: Experience leading/formal security audits; experience with QNX QOS, Yocto; familiarity with FDA/global regulatory cybersecurity guidance; web app/server hardening (AWS/Azure) and OWASP Top 10; cybersecurity pre-sales; software development experience; CISSP/CISM or other security certification; advanced degree.

Skills

• Security architecture design
• Threat modeling and risk assessment
• Secure coding practices and code reviews
• Embedded systems and RTOS security
• Cryptography, PKI/HSM/secure enclave integration
• Vulnerability management and penetration testing coordination
• Zero Trust and device-to-cloud security
• Regulatory compliance knowledge (FDA, NIST, ISO/HITRUST, GDPR)
• Post-market support and customer security questionnaire responses

Education

• Bachelor’s degree or equivalent

Additional Requirements

• Travel: Up to 10% travel required