Glaukos
Sr. Product Security Engineer
What You’ll Do: The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position tasked to leading security efforts across the product lifecycle, ensuring products meet regulatory expectations and industry best practices for cybersecurity. This role provides both hands-on technical expertise and cross-functional leadership, with influence over product strategy, development processes, and post-market security posture.
Security Architecture & Requirements
Define security requirements and risk mitigations for new products and features.
Translate regulatory and industry security standards (e.g., FDA, ISO 27001, NIST, OWASP) into actionable product requirements.
Develop and maintain security architecture diagrams and models for software and integrated systems.
Development Lifecycle Security
Embed secure development practices (threat modeling, secure coding, code review standards) into the software development lifecycle.
Define and support secure CI/CD practices, including secrets management, dependency management, and supply-chain security.
Partner with DevOps/IT to secure cloud infrastructure, build pipelines, and deployment environments.
Testing & Validation
Assist the testing team with security testing efforts for new and on-market products, including penetration testing, fuzzing, and static/dynamic code analysis.
Update and maintain vulnerability management processes, including SBOM creation and maintenance.
Collaborate with QA to integrate automated security testing into regression and release pipelines.
Documentation & Compliance
Generate and maintain pre-market security documentation to support regulatory submissions (e.g., security risk assessments, security architecture views, threat models, FDA cybersecurity guidance compliance).
Maintain records of vulnerability assessments, mitigations, and patch processes.
Support audit and inspection readiness with thorough, traceable documentation
Vulnerability & Incident Management
Manage product vulnerability assessment and mitigation activities, both pre-market and post-market.
Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
Track and monitor vulnerability disclosures from third-party libraries and components.
Cross-Functional Leadership
Act as the security subject matter expert across product teams.
Provide training and mentoring to engineers on secure design and coding practices.
Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals.
How You’ll Get There:
7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
Demonstrated experience with:
Designing or assessing security architectures for embedded or connected systems.
Implementing secure development lifecycle (SDL) practices within engineering teams.
Leading or participating in vulnerability management and coordinated disclosure processes.
Generating pre-market cybersecurity documentation or equivalent regulatory submissions (e.g., FDA, ISO 14971, IEC 81001-5-1).
Collaborating cross-functionally (engineering, QA, regulatory, IT) to implement and sustain security programs.
Preferred
Prior experience as a
product security lead
or
security point of contact
for a commercial medical or industrial product.
Experience integrating
security testing automation
into CI/CD environments.
Experience supporting
external audits, penetration tests, or third-party security assessments.
Core Product Security Knowledge
Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
Risk management frameworks:
NIST 800-53, NIST 800-30, ISO 27001, ISO 14971 , and
IEC 81001-5-1 .
Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
Authentication and authorization mechanisms, identity management, and secure session handling.
Secure coding standards (e.g.,
CERT C/C++ ,
OWASP ,
MISRA ,
CWE/SANS Top 25 ).
Supply chain security concepts and
SBOM management (SPDX, CycloneDX) .
DevOps & Infrastructure Knowledge
CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
Common security testing tools:
SAST, DAST, SCA, fuzzers, and pen-testing frameworks .
Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
FDA cybersecurity premarket and postmarket guidance.
Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
Audit-ready documentation practices and traceability to design controls.
Minimum
Bachelor’s degree in
Computer Science, Electrical/Computer Engineering, Cybersecurity , or a related field.
Preferred
Master’s degree in
Cybersecurity, Software Engineering, or Systems Engineering
(ideal for regulated product security leadership).
#J-18808-Ljbffr
What You’ll Do: The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position tasked to leading security efforts across the product lifecycle, ensuring products meet regulatory expectations and industry best practices for cybersecurity. This role provides both hands-on technical expertise and cross-functional leadership, with influence over product strategy, development processes, and post-market security posture.
Security Architecture & Requirements
Define security requirements and risk mitigations for new products and features.
Translate regulatory and industry security standards (e.g., FDA, ISO 27001, NIST, OWASP) into actionable product requirements.
Develop and maintain security architecture diagrams and models for software and integrated systems.
Development Lifecycle Security
Embed secure development practices (threat modeling, secure coding, code review standards) into the software development lifecycle.
Define and support secure CI/CD practices, including secrets management, dependency management, and supply-chain security.
Partner with DevOps/IT to secure cloud infrastructure, build pipelines, and deployment environments.
Testing & Validation
Assist the testing team with security testing efforts for new and on-market products, including penetration testing, fuzzing, and static/dynamic code analysis.
Update and maintain vulnerability management processes, including SBOM creation and maintenance.
Collaborate with QA to integrate automated security testing into regression and release pipelines.
Documentation & Compliance
Generate and maintain pre-market security documentation to support regulatory submissions (e.g., security risk assessments, security architecture views, threat models, FDA cybersecurity guidance compliance).
Maintain records of vulnerability assessments, mitigations, and patch processes.
Support audit and inspection readiness with thorough, traceable documentation
Vulnerability & Incident Management
Manage product vulnerability assessment and mitigation activities, both pre-market and post-market.
Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
Track and monitor vulnerability disclosures from third-party libraries and components.
Cross-Functional Leadership
Act as the security subject matter expert across product teams.
Provide training and mentoring to engineers on secure design and coding practices.
Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals.
How You’ll Get There:
7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
Demonstrated experience with:
Designing or assessing security architectures for embedded or connected systems.
Implementing secure development lifecycle (SDL) practices within engineering teams.
Leading or participating in vulnerability management and coordinated disclosure processes.
Generating pre-market cybersecurity documentation or equivalent regulatory submissions (e.g., FDA, ISO 14971, IEC 81001-5-1).
Collaborating cross-functionally (engineering, QA, regulatory, IT) to implement and sustain security programs.
Preferred
Prior experience as a
product security lead
or
security point of contact
for a commercial medical or industrial product.
Experience integrating
security testing automation
into CI/CD environments.
Experience supporting
external audits, penetration tests, or third-party security assessments.
Core Product Security Knowledge
Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
Risk management frameworks:
NIST 800-53, NIST 800-30, ISO 27001, ISO 14971 , and
IEC 81001-5-1 .
Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
Authentication and authorization mechanisms, identity management, and secure session handling.
Secure coding standards (e.g.,
CERT C/C++ ,
OWASP ,
MISRA ,
CWE/SANS Top 25 ).
Supply chain security concepts and
SBOM management (SPDX, CycloneDX) .
DevOps & Infrastructure Knowledge
CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
Common security testing tools:
SAST, DAST, SCA, fuzzers, and pen-testing frameworks .
Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
FDA cybersecurity premarket and postmarket guidance.
Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
Audit-ready documentation practices and traceability to design controls.
Minimum
Bachelor’s degree in
Computer Science, Electrical/Computer Engineering, Cybersecurity , or a related field.
Preferred
Master’s degree in
Cybersecurity, Software Engineering, or Systems Engineering
(ideal for regulated product security leadership).
#J-18808-Ljbffr