Sr Staff Product Security Engineer

We’re hiring! If you want your contributions to make a real difference, check out this new career opportunity with us at Draeger where we are led by the guiding principle “Technology for Life”.

The Senior Staff Product Security Engineer will:

• Lead architecture and design reviews to identify cybersecurity risks in new and existing products/systems, leads threat modeling activities, and prioritizes remediation work.  Review & triage results coming from existing controls (e.g. bug reviews, 3rd party analysis, etc.).  Gather engineering teams to develop solutions on how to best address individual vulnerabilities.  Coordinate with the Product Security Manager and Cross Functional Teams to get needed improvements included in next available release.  Lead cybersecurity training events for engineering organization. Drive compliance to corporate cybersecurity policies as well as all external regulatory agencies.
• Lead product threat modeling and assessment activities, leading towards Common Vulnerability Scoring System (CVSS) score. Work with Risk Assessment organization to assess system risk of items identified during threat modeling, creating system hazard requirements as required per process based on this assessment activity.
• Responsible for Draeger compliance with latest DoD Security Technical Implementation Guide’s (STIG’s) via monthly Nessus vulnerability scanning to maintain DoD RMF certification for Draeger RMF qualified products.
• Design, develop, test, and maintain Penetration, Fuzz testing, and other vulnerability testing tools for the purpose of evaluating the cybersecurity readiness of Draeger products.
• Responsible for creating, updating, and posting Manufacturer Disclosure Statements for Medical Device Security (MDS2) and other required customer facing documents as required per Draeger cybersecurity processes.
• Responsible for the per process periodic Review Software Bill of Materials (SBOM), looking for newer versions of listed software items that need to be evaluated for cybersecurity vulnerability fixes and scored using the CVSS method.  All results shall be documented per process and will be used as input to system risk analysis.
• Responsible for creating, releasing, and publishing Cybersecurity Advisories to Draeger customer facing web site to meet required regulatory agency disclosure rules and internal Draeger cybersecurity processes.
• Participate in post market release team reviews of cybersecurity field complaints, providing guidance on severity and probability scoring for each identified vulnerability, setting priority order on items that need to be fixed/resolved.
• Create and release all Draeger process required cybersecurity program documents.  These documents will be stored in the design history file of the product as proof of compliance to process.
• Performs other duties as needed and assigned. 

Education:

BS Cybersecurity, Computer Science or other technically related field; MS Cybersecurity or Computer Science preferred.

Related Experience:

• 5-10 years of practical application security work experience, preferably including some or all of the following: source code auditing, penetration testing, product assessments, vulnerability research, reverse engineering, and related pursuits.
• 5 years of practical software development experience - C/C++/, Python, JavaScript
• Experience using the Microsoft Threat Modeling tool
• Working knowledge of DoD STIGs

Special Competencies or Certifications:

• Excellent attention to detail, quality, and customer satisfaction.
• Strong analytical, organizational, and technical writing skills.
• Proficient in network scanning tools - Nessus
• Prototyping ability – the skill to quickly solve a problem and demonstrate feasibility with little notice
• Certified Ethical Hacker
• CompTIA Security+
• CISSP: Certified Information Systems Security Professional
• Windows, UNIX and Linux operating systems knowledge
• SANS GIAC Security Essentials
• CISA: Certified Information Systems Auditor
• CISSP-ISSMP: Information Systems Security Management Professional
• Working knowledge of ISO 14971
• Practices and methods of IT strategy, enterprise architecture and security architecture
• Security concepts related to DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies
• ISO 27001 & 27002, NIST Cybersecurity framework
• PCI, HIPAA, NIST, GLBA and SOX compliance assessments
• Firewall and intrusion detection/prevention protocols
• Secure coding practices, ethical hacking and threat modeling
• TCP/IP, computer networking, routing and switching
• Network security architecture development and definition

Draeger has several sites located across North America as well as field-based sales and service positions. Our North America headquarters is located in Telford, PA just north of Philadelphia. We also have US sites in Andover, MA, and Houston, TX. Our Canada site is located in Mississauga, Ontario.

The design, development and manufacturing of Draeger’s Patient Monitoring product line takes place in our Andover, Massachusetts location.

EEO is the Law

Draeger is an Equal Opportunity Employer. To learn more: Know Your Rights: Workplace Discrimination is Illegal (dol.gov)

From hospitals to fire departments to industrial customers, people around the world rely on our products: cutting-edge technology that combines real engineering with the digital future. With over 130 years of experience, passion and the bold ideas of more than 16,000 employees, we are committed to turning technology into ›technology for life‹.