Senior Product Security Engineer
Johnson & Johnson
full-time
Posted on:
Location Type: Hybrid
Location: Danvers • Massachusetts • New Jersey • United States
Visit company websiteExplore more
Salary
💰 $102,000 - $177,100 per year
Job Level
Tech Stack
About the role
- This role will require up to 10% travel.
- Senior Product Security Engineer will be responsible for implementation of J&J’s enterprise Product Security strategy and framework throughout the Heart Recovery portfolio of medical devices and supporting platforms.
- Provide technical expertise and strategic leadership in securing Impella heart pump technologies, next-generation cardiac support systems, and connected medical devices.
- Responsible for delivering security architecture, cryptographic controls, embedded system protections/controls, and threat mitigation techniques to ensure robust, regulatory-compliant security across the product lifecycle.
- Supporting heart recovery throughout a new product’s development phases.
- Review product security requirements and recommend security design solutions.
- Complete Quality documentation, threat modelling, coordinate third-party penetration testing, software architecture review and design recommendations, code analysis and other security testing work as needed.
- Monitoring for new vulnerabilities, assisting with patching and remediation plans, as well as responding to customer security questionnaires and reviewing security language within contractual agreements as needed.
- Drive alignment to J&J Product Security’s overarching framework.
- Support the Product Security strategy and objectives within Heart Recovery.
Requirements
- 5+ years industry experience in Information Security
- 3+ years experience with embedded system, IOT, or medical device cybersecurity
- Bachelor’s degree or equivalent
- Experience generating Threat models without the use of threat modeling tools
- Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
- Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
- Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
- Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57.
- Knowledge of real-time operating systems hardening techniques
- Knowledge of cloud security principles
- Ability to generate SBOMs from Software source code and Binaries, Firmware, and Operating Systems
- Ability to generate pre-market risk assessments against the threat model leveraging STRIDE and post-market risk assessments via SCA SBOM scans.
- Ability to generate the security architecture views for medical devices that could include: Global System View, Multi-Patient Harm View, Updateability/Patchability view and, detailing system boundaries, data flows, and external interactions to show risk mitigation, ensuring transparency, and supporting post-market management
- Ability to translate technical security requirements into solutions
- Ability to provide secure coding recommendations and execute reviews
- Data privacy experience, including HIPAA and GDPR
- Understanding of industry standards and certifications such as HITRUST & ISO 27001
- Ability to work autonomously and proactively seek out product security opportunities within heart recovery
- Ability to lead large projects and proven ability to track to project plan timelines from a security perspective
- Ability to create and deliver cybersecurity awareness campaigns and other communications
- Creative problem-solving skills
- Customer focus (internal & external)
- Excellent communication and collaboration skills, able to network, interface and influence at all levels of the organization, cross sector, cross-functionally and globally
- Strong leadership skills
Benefits
- Subject to the terms of their respective plans, employees are eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k)).
- Subject to the terms of their respective policies and date of hire, Employees are eligible for the following time off benefits: Vacation –120 hours per calendar year
- Sick time - 40 hours per calendar year; for employees who reside in the State of Washington –56 hours per calendar year
- Holiday pay, including Floating Holidays –13 days per calendar year
- Work, Personal and Family Time - up to 40 hours per calendar year
- Parental Leave – 480 hours within one year of the birth/adoption/foster care of a child
- Condolence Leave – 30 days for an immediate family member: 5 days for an extended family member
- Caregiver Leave – 10 days
- Volunteer Leave – 4 days
- Military Spouse Time-Off – 80 hours
Applicant Tracking System Keywords
Tip: use these terms in your resume and cover letter to boost ATS matches.
Hard Skills & Tools
information securityembedded system cybersecurityIOT securitymedical device cybersecuritythreat modelingrisk assessmentsCVSS 3.1vulnerability scanningsecure codingdata privacy
Soft Skills
leadershipproblem-solvingcustomer focuscommunicationcollaborationautonomyproactivityproject managementinfluencenetworking
Certifications
HITRUSTISO 27001