Penetration Tester

Role: Penetration Tester

Location: Remote ( Should be travel ready to customer location once in a while for some testing)

Job Summary:

We are seeking an experienced Penetration Tester with specialized knowledge in medical devices and FDA 510(k) compliance to support our cybersecurity efforts. The ideal candidate will have hands-on experience conducting Threat Modelling, Ethical hacking and vulnerability assessments in FDA-regulated environments, ensuring our connected medical products meet security standards for submission and post-market monitoring.

Key Responsibilities:

• Strategize and plan static and dynamic application security testing (SAST/DAST/ SCA) tools.
• Conduct manual and automated penetration testing on medical devices, embedded systems, and healthcare applications.
• Identify, exploit, and document vulnerabilities in both hardware and software used in Class II/III devices.
• Collaborate with R&D, Regulatory, and Quality teams to ensure test findings are addressed in FDA 510(k) submissions.
• Prepare detailed technical reports and risk assessments that meet FDA and ISO/IEC 81001-5-1 requirements.
• Assist in the development and validation of Secure Software Development Lifecycle (SSDLC) practices.
• Support threat modeling, risk management, and cybersecurity assessments required by FDA premarket guidance (e.g., Cybersecurity in Medical Devices).
• Stay current on regulatory guidance (FDA, NIST, IEC 62443, ISO 14971) and industry best practices.

Requirements:

Technical Skills:

• Strong understanding of penetration testing methodologies (e.g., OWASP, PTES, MITRE ATT&CK).
• Familiarity with medical device communication protocols (e.g., BLE, Zigbee, HL7, DICOM, MQTT).
• Secure coding practices: Knowledge of secure coding standards (e.g. OWASP top 10, OWASP ASVS) and experience in reviewing code for security vulnerabilities.
• Proficient with tools like Burp Suite, OWASP ZAP, Metasploit, Nmap, Wireshark, Kali Linux, etc.
• Experience testing embedded systems, firmware, and mobile/IoT medical applications.
• Familiarity with Git version control, CI/CD pipeline and bug tracking tools.
• Strong command line skills and troubleshooting experience in Linux environments.

Regulatory Knowledge:

• Threat Modelling: Ability to conduct threat modelling sessions to identify and mitigate security risks
• In-depth understanding of FDA 510(k) submission processes and cybersecurity requirements.
• Familiarity with FDA premarket guidance (2023 updates), post market management, and SBOM expectations.
• Understanding of HIPAA, GDPR, and other data protection regulations as they relate to medical devices.

Education and Experience:

• Bachelor s or Master s degree in Computer Science, Cybersecurity, Biomedical Engineering, or related field.
• 5-8 years of experience in cybersecurity testing, with at least 2 years in the medical device industry.
• Certifications preferred: OSCP, CISSP, CEH, GICSP, or CRISC.

Preferred Qualifications:

• Experience with testing and securing gRPC APIs.
• Hands-on experience in AWS cloud security and compliance.
• Proficiency in python programming knowledge to develop automations.
• Experience with implementing security hardening to operating systems (Linux and Windows) as part of secure baselines that is used in end product.
• Experience working directly on 510(k) submissions or as part of an FDA audit.
• Prior work in a regulated QMS (ISO 13485, FDA CFR 21 Part 820).
• Knowledge of DevSecOps integration.