Johnson & Johnson
Principal Product Security Engineer
Johnson & Johnson – MedTech Cybersecurity Team
Job Description Johnson & Johnson’s MedTech cybersecurity team is recruiting an experienced Principal Product Security Engineer to be based in Danvers, MA or Raritan, NJ. This role can also be remote or hybrid and will require up to 10% travel.
In this role you will own the product security process for J&J’s Heart Recovery portfolio of medical devices and supporting platforms, from pre‑market design through post‑market operations. You will deliver security architecture, cryptographic controls, embedded system protections, threat mitigation techniques, and ensure regulatory compliance across the product lifecycle.
Responsibilities
Drive alignment with J&J Product Security’s overarching framework and strategy for Heart Recovery.
Define and implement secure boot, firmware integrity validation, and anti‑tamper mechanisms for device firmware.
Enforce cryptographic protocols for data‑at‑rest and data‑in‑transit, ensuring compliance with FDA cybersecurity requirements, NIST standards, and IEC 62443.
Define and implement key‑management infrastructure (PKI, HSMs, TPMs, secure enclave) for device identity, authentication, and software signing.
Develop real‑time vulnerability assessment techniques for wireless communications (Bluetooth LE, NFC, Wi‑Fi, 5G, proprietary RF).
Implement Zero Trust security for device‑to‑cloud connectivity, integrating mTLS and continuous authentication models.
Oversee secure OTA update mechanisms, ensuring firmware rollbacks, code signing, and supply‑chain integrity validation.
Lead Secure Development Lifecycle practices, integrating threat modeling, static/dynamic analysis, fuzz testing, and formal verification.
Work with R&D Engineering to define hardware security architecture, including trust zones and hardware root of trust.
Implement memory safety strategies to mitigate buffer overflows, side‑channel attacks, and execution vulnerabilities.
Respond to customer cybersecurity questionnaires and contractual language for post‑market devices.
Coordinate third‑party penetration testing, software architecture review, code analysis, and other security testing activities.
Monitor for new vulnerabilities, assist with patching and remediation plans for marketed devices.
Qualifications – Required
5+ years industry experience in Information Security; 3+ years in embedded system, IoT, or medical device cybersecurity.
Bachelor’s degree or equivalent.
Experience generating threat models without the use of threat‑modeling tools.
Experience performing risk assessments using CVSS 3.1+ and STRIDE per element.
Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations.
Knowledge of third‑party penetration testing, vulnerability scanning, CVSS, and other general security testing principles.
Experience supporting regulatory security submissions (FDA Cybersecurity Guidance 2025, EU MDR, NIST 800‑53, IMDRF, AAMI TIR57).
Knowledge of real‑time operating systems hardening, cloud security principles, and SBOM generation.
Ability to generate pre‑market risk assessments, post‑market SCA SBOM scans, and security architecture views for medical devices.
Strong secure‑coding and review skills, familiarity with HIPAA & GDPR, and industry certifications such as HITRUST & ISO 27001.
Proven ability to lead large projects and deliver results on schedule; excellent communication, collaboration, and customer focus.
Creative problem‑solving skills and a proactive, autonomous work style.
Preferred Skills
Experience leading or participating in formal security audits.
Familiarity with FDA and other global regulatory cybersecurity guidance and submission processes.
Experience with web applications and server hardening (AWS, Azure) and knowledge of OWASP Top 10 and blue‑team techniques.
Experience in cybersecurity pre‑sales, software development, and advanced degrees (MS or higher).
Certifications such as CISSP, CISM, or other security credentials.
Job Information Seniority level:
Not Applicable
Employment type:
Full‑time
Locations:
Danvers, Massachusetts; Raritan, New Jersey (remote/hybrid options); up to 10% travel.
Salary $102,000.00 – $177,100.00
Benefits
Vacation: 120 hours per calendar year
Sick time: 40 hours per calendar year (56 hours if residing in Washington)
Holiday pay (incl. Floating Holidays): 13 days per calendar year
Work, Personal and Family Time: up to 40 hours per calendar year
Parental Leave: 480 hours within one year of birth/adoption/foster care
Condolence Leave: 30 days (5 days for extended family)
Caregiver Leave: 10 days
Volunteer Leave: 4 days
Military Spouse Time‑Off: 80 hours
EEO Statement Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status, or any other characteristic protected by federal, state, or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.
Johnson & Johnson is committed to providing an inclusive interview process. If you have a disability that requires accommodation, please contact us via
https://www.jnj.com/contact-us/careers
or AskGS.
#J-18808-Ljbffr
Job Description Johnson & Johnson’s MedTech cybersecurity team is recruiting an experienced Principal Product Security Engineer to be based in Danvers, MA or Raritan, NJ. This role can also be remote or hybrid and will require up to 10% travel.
In this role you will own the product security process for J&J’s Heart Recovery portfolio of medical devices and supporting platforms, from pre‑market design through post‑market operations. You will deliver security architecture, cryptographic controls, embedded system protections, threat mitigation techniques, and ensure regulatory compliance across the product lifecycle.
Responsibilities
Drive alignment with J&J Product Security’s overarching framework and strategy for Heart Recovery.
Define and implement secure boot, firmware integrity validation, and anti‑tamper mechanisms for device firmware.
Enforce cryptographic protocols for data‑at‑rest and data‑in‑transit, ensuring compliance with FDA cybersecurity requirements, NIST standards, and IEC 62443.
Define and implement key‑management infrastructure (PKI, HSMs, TPMs, secure enclave) for device identity, authentication, and software signing.
Develop real‑time vulnerability assessment techniques for wireless communications (Bluetooth LE, NFC, Wi‑Fi, 5G, proprietary RF).
Implement Zero Trust security for device‑to‑cloud connectivity, integrating mTLS and continuous authentication models.
Oversee secure OTA update mechanisms, ensuring firmware rollbacks, code signing, and supply‑chain integrity validation.
Lead Secure Development Lifecycle practices, integrating threat modeling, static/dynamic analysis, fuzz testing, and formal verification.
Work with R&D Engineering to define hardware security architecture, including trust zones and hardware root of trust.
Implement memory safety strategies to mitigate buffer overflows, side‑channel attacks, and execution vulnerabilities.
Respond to customer cybersecurity questionnaires and contractual language for post‑market devices.
Coordinate third‑party penetration testing, software architecture review, code analysis, and other security testing activities.
Monitor for new vulnerabilities, assist with patching and remediation plans for marketed devices.
Qualifications – Required
5+ years industry experience in Information Security; 3+ years in embedded system, IoT, or medical device cybersecurity.
Bachelor’s degree or equivalent.
Experience generating threat models without the use of threat‑modeling tools.
Experience performing risk assessments using CVSS 3.1+ and STRIDE per element.
Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations.
Knowledge of third‑party penetration testing, vulnerability scanning, CVSS, and other general security testing principles.
Experience supporting regulatory security submissions (FDA Cybersecurity Guidance 2025, EU MDR, NIST 800‑53, IMDRF, AAMI TIR57).
Knowledge of real‑time operating systems hardening, cloud security principles, and SBOM generation.
Ability to generate pre‑market risk assessments, post‑market SCA SBOM scans, and security architecture views for medical devices.
Strong secure‑coding and review skills, familiarity with HIPAA & GDPR, and industry certifications such as HITRUST & ISO 27001.
Proven ability to lead large projects and deliver results on schedule; excellent communication, collaboration, and customer focus.
Creative problem‑solving skills and a proactive, autonomous work style.
Preferred Skills
Experience leading or participating in formal security audits.
Familiarity with FDA and other global regulatory cybersecurity guidance and submission processes.
Experience with web applications and server hardening (AWS, Azure) and knowledge of OWASP Top 10 and blue‑team techniques.
Experience in cybersecurity pre‑sales, software development, and advanced degrees (MS or higher).
Certifications such as CISSP, CISM, or other security credentials.
Job Information Seniority level:
Not Applicable
Employment type:
Full‑time
Locations:
Danvers, Massachusetts; Raritan, New Jersey (remote/hybrid options); up to 10% travel.
Salary $102,000.00 – $177,100.00
Benefits
Vacation: 120 hours per calendar year
Sick time: 40 hours per calendar year (56 hours if residing in Washington)
Holiday pay (incl. Floating Holidays): 13 days per calendar year
Work, Personal and Family Time: up to 40 hours per calendar year
Parental Leave: 480 hours within one year of birth/adoption/foster care
Condolence Leave: 30 days (5 days for extended family)
Caregiver Leave: 10 days
Volunteer Leave: 4 days
Military Spouse Time‑Off: 80 hours
EEO Statement Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status, or any other characteristic protected by federal, state, or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.
Johnson & Johnson is committed to providing an inclusive interview process. If you have a disability that requires accommodation, please contact us via
https://www.jnj.com/contact-us/careers
or AskGS.
#J-18808-Ljbffr