Product Security Engineer

Responsibilities:

• Support product security activities for medical devices, including contributions to FDA submission deliverables.
• Apply ISO 14971 risk management principles and integrate cybersecurity risks into safety analyses such as FMEA, FMEDA, and hazard analysis.
• Align security activities with IEC 62304 software lifecycle requirements and safety classifications.
• Ensure compliance with FDA cybersecurity premarket guidance and other applicable regulatory standards.
• Perform threat modeling and attack surface analysis using methodologies such as STRIDE.
• Define and implement secure-by-design architecture including authentication, authorization, least privilege, and secure data flows.
• Design and evaluate embedded and firmware security controls including secure boot, signed firmware, root of trust, and secure key storage.
• Apply cryptographic best practices including TLS, certificate lifecycle management, and secure key handling.
• Conduct vulnerability assessments using SAST, DAST, fuzzing, and binary analysis techniques.
• Plan and execute penetration testing activities or coordinate with external security testing teams.
• Analyze and secure networking protocols including TCP/IP, BLE, Wi-Fi, MQTT, and healthcare standards such as HL7/FHIR.
• Manage software supply chain security including SBOM generation and dependency vulnerability tracking.
• Integrate security controls into DevSecOps pipelines including SCA, SAST, secrets scanning, and release gating.
• Develop and maintain required documentation for regulatory submissions.

Required Skills And Experience:

• Strong experience in product security within the MedTech or medical device industry.
• Hands-on experience supporting FDA submissions and regulatory cybersecurity requirements.
• Knowledge of ISO 14971 risk management and IEC 62304 software lifecycle standards.
• Experience with threat modeling frameworks such as STRIDE.
• Expertise in secure architecture, embedded systems security, and cryptography.
• Experience in vulnerability assessment, penetration testing, and secure coding practices.
• Strong understanding of networking protocols and secure communications.
• Experience with DevSecOps practices and CI/CD pipeline security integration.

Deliverables:

• Product Security Plan.
• Threat Model documentation.
• Risk Assessment reports.
• Vulnerability Assessment reports (CVSS 3.1 / MITRE framework preferred).
• Manufacturer Disclosure Statement for Medical Device Security (MDS2).
• Security White Papers and supporting documentation.

Preferred Qualifications:

• Experience with healthcare data standards such as HL7/FHIR.
• Familiarity with hardware security testing and advanced attack techniques.
• Knowledge of global regulatory cybersecurity requirements.

Soft Skills:

• Strong analytical and problem-solving skills.
• Excellent documentation and technical writing abilities.
• Strong communication skills with cross-functional teams and stakeholders.
• Detail-oriented with a focus on compliance and quality.
• Ability to manage multiple priorities in a complex, regulated environment.