Principal Product Cybersecurity Engineer

About The Position

Requirements

• 10+ years of experience in cybersecurity engineering with a strong focus on product and application security.
• Direct experience securing medical devices, connected devices, or SaMD in a regulated healthcare environment.
• Strong understanding of: Secure SDLC and DevSecOps practices, Threat modeling methodologies, OWASP Top 10 and API security risks.
• Hands-on experience with AWS cloud security in support of products and services.
• Familiarity with healthcare and product security frameworks, including NIST CSF/800-53 and ISO 27001.
• Ability to work effectively across Engineering, Quality, Regulatory, and Product teams.
• CISSP (ISC²) or CISM (ISACA)
• CompTIA Security+ or CySA+
• GIAC certifications (e.g., GSEC, GWAPT, GPEN)
• AWS Certified Security – Specialty
• CCSP (ISC²)

Nice To Haves

• Experience with medical device standards and guidance, including: IEC 62304, ISO 14971, ISO 13485, FDA cybersecurity expectations, UL 2900, AAMI TIR57/TIR97, EU MDR and IEC 81001‑5‑1.
• Exposure to CSPM, CIEM, or cloud workload protection platforms.

Responsibilities

• Embed security into the medical device and SaMD SDLC, including secure design reviews, threat modeling, and security requirements definition.
• Perform threat modeling and architecture reviews for: Device software and firmware, Cloud-connected services and APIs, Mobile and web applications supporting medical devices.
• Define and validate security controls for authentication, authorization, encryption, and data protection in patient-impacting systems.
• Partner with Quality and Regulatory teams to ensure cybersecurity requirements are documented, traceable, and auditable.
• Secure AWS-hosted product backends supporting medical devices and SaMD.
• Design and review security architectures using AWS services.
• Implement product-focused logging, monitoring, and threat detection.
• Integrate security testing into CI/CD pipelines, including SAST, DAST, dependency scanning, container scanning, and secrets detection.
• Establish and maintain SBOM practices and third-party component governance for medical device software.
• Define and enforce secure standards for container images, including hardening, scanning, signing, and runtime protections.
• Support secure build, artifact signing, and release integrity controls.
• Support product vulnerability intake, triage, and remediation across device software and cloud services.
• Assist with vulnerability disclosure, security advisories, and post-market cybersecurity activities.
• Collaborate with incident response teams to investigate and contain product-related security events.
• Serve as the product security subject matter expert for engineering teams.
• Mentor engineers and influence secure design decisions through practical guidance and standards.
• Drive continuous improvement in product security maturity and resilience.

Benefits

• 401(k) with up to a 6% employer match and no vesting period
• Employee stock purchase plan
• Flexible time off for salaried employees
• Accrual of three to five weeks’ vacation annually (based on tenure) for hourly employees
• Accrual of up to 64 hours (annually) of paid sick time for hourly employees
• Paid and/or floating holidays
• Parental leave
• Short- and long-term disability insurance
• Tuition reimbursement
• Health and welfare benefits