What are the responsibilities and job description for the Sr. Product Security Engineer II position at Glaukos Corporation?
Sr. Product Security Engineer
What You’ll Do:
The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position tasked to leading security efforts across the product lifecycle, ensuring products meet regulatory expectations and industry best practices for cybersecurity. This role provides both hands-on technical expertise and cross-functional leadership, with influence over product strategy, development processes, and post-market security posture.
Security Architecture & Requirements
- Define security requirements and risk mitigations for new products and features.
- Translate regulatory and industry security standards (e.g., FDA, ISO 27001, NIST, OWASP) into actionable product requirements.
- Develop and maintain security architecture diagrams and models for software and integrated systems.
Development Lifecycle Security
- Embed secure development practices (threat modeling, secure coding, code review standards) into the software development lifecycle.
- Define and support secure CI/CD practices, including secrets management, dependency management, and supply-chain security.
- Partner with DevOps/IT to secure cloud infrastructure, build pipelines, and deployment environments.
Testing & Validation
- Assist the testing team with security testing efforts for new and on-market products, including penetration testing, fuzzing, and static/dynamic code analysis.
- Update and maintain vulnerability management processes, including SBOM creation and maintenance.
- Collaborate with QA to integrate automated security testing into regression and release pipelines.
- Documentation & Compliance
- Generate and maintain pre-market security documentation to support regulatory submissions (e.g., security risk assessments, security architecture views, threat models, FDA cybersecurity guidance compliance).
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation
Vulnerability & Incident Management
- Manage product vulnerability assessment and mitigation activities, both pre-market and post-market.
- Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
- Track and monitor vulnerability disclosures from third-party libraries and components.
Cross-Functional Leadership
- Act as the security subject matter expert across product teams.
- Provide training and mentoring to engineers on secure design and coding practices.
- Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals
How You’ll Get There:
- 7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
- 3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
- Demonstrated experience with:
- Designing or assessing security architectures for embedded or connected systems.
- Implementing secure development lifecycle (SDL) practices within engineering teams.
- Leading or participating in vulnerability management and coordinated disclosure processes.
- Generating pre-market cybersecurity documentation or equivalent regulatory submissions (e.g., FDA, ISO 14971, IEC 81001-5-1).
- Collaborating cross-functionally (engineering, QA, regulatory, IT) to implement and sustain security programs.
Preferred
- Prior experience as a product security lead or security point of contact for a commercial medical or industrial product.
- Experience integrating security testing automation into CI/CD environments.
- Experience supporting external audits, penetration tests, or third-party security assessments.
Core Product Security Knowledge
- Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
- Risk management frameworks: NIST 800-53, NIST 800-30, ISO 27001, ISO 14971, and IEC 81001-5-1.
- Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
- Authentication and authorization mechanisms, identity management, and secure session handling.
- Secure coding standards (e.g., CERT C/C , OWASP, MISRA, CWE/SANS Top 25).
- Supply chain security concepts and SBOM management (SPDX, CycloneDX).
DevOps & Infrastructure Knowledge
- CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
- Common security testing tools: SAST, DAST, SCA, fuzzers, and pen-testing frameworks.
- Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
- Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
- FDA cybersecurity premarket and postmarket guidance.
- Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
- Audit-ready documentation practices and traceability to design controls.
Minimum
- Bachelor’s degree in Computer Science, Electrical/Computer Engineering, Cybersecurity, or a related field.
Preferred
- Master’s degree in Cybersecurity, Software Engineering, or Systems Engineering (ideal for regulated product security leadership).
#GKOSUS
What You’ll Do:
The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position tasked to leading security efforts across the product lifecycle, ensuring products meet regulatory expectations and industry best practices for cybersecurity. This role provides both hands-on technical expertise and cross-functional leadership, with influence over product strategy, development processes, and post-market security posture.
Security Architecture & Requirements
- Define security requirements and risk mitigations for new products and features.
- Translate regulatory and industry security standards (e.g., FDA, ISO 27001, NIST, OWASP) into actionable product requirements.
- Develop and maintain security architecture diagrams and models for software and integrated systems.
Development Lifecycle Security
- Embed secure development practices (threat modeling, secure coding, code review standards) into the software development lifecycle.
- Define and support secure CI/CD practices, including secrets management, dependency management, and supply-chain security.
- Partner with DevOps/IT to secure cloud infrastructure, build pipelines, and deployment environments.
Testing & Validation
- Assist the testing team with security testing efforts for new and on-market products, including penetration testing, fuzzing, and static/dynamic code analysis.
- Update and maintain vulnerability management processes, including SBOM creation and maintenance.
- Collaborate with QA to integrate automated security testing into regression and release pipelines.
- Documentation & Compliance
- Generate and maintain pre-market security documentation to support regulatory submissions (e.g., security risk assessments, security architecture views, threat models, FDA cybersecurity guidance compliance).
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation
Vulnerability & Incident Management
- Manage product vulnerability assessment and mitigation activities, both pre-market and post-market.
- Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
- Track and monitor vulnerability disclosures from third-party libraries and components.
Cross-Functional Leadership
- Act as the security subject matter expert across product teams.
- Provide training and mentoring to engineers on secure design and coding practices.
- Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals
How You’ll Get There:
- 7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
- 3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
- Demonstrated experience with:
- Designing or assessing security architectures for embedded or connected systems.
- Implementing secure development lifecycle (SDL) practices within engineering teams.
- Leading or participating in vulnerability management and coordinated disclosure processes.
- Generating pre-market cybersecurity documentation or equivalent regulatory submissions (e.g., FDA, ISO 14971, IEC 81001-5-1).
- Collaborating cross-functionally (engineering, QA, regulatory, IT) to implement and sustain security programs.
Preferred
- Prior experience as a product security lead or security point of contact for a commercial medical or industrial product.
- Experience integrating security testing automation into CI/CD environments.
- Experience supporting external audits, penetration tests, or third-party security assessments.
Core Product Security Knowledge
- Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
- Risk management frameworks: NIST 800-53, NIST 800-30, ISO 27001, ISO 14971, and IEC 81001-5-1.
- Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
- Authentication and authorization mechanisms, identity management, and secure session handling.
- Secure coding standards (e.g., CERT C/C , OWASP, MISRA, CWE/SANS Top 25).
- Supply chain security concepts and SBOM management (SPDX, CycloneDX).
DevOps & Infrastructure Knowledge
- CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
- Common security testing tools: SAST, DAST, SCA, fuzzers, and pen-testing frameworks.
- Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
- Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
- FDA cybersecurity premarket and postmarket guidance.
- Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
- Audit-ready documentation practices and traceability to design controls.
Minimum
- Bachelor’s degree in Computer Science, Electrical/Computer Engineering, Cybersecurity, or a related field.
Preferred
- Master’s degree in Cybersecurity, Software Engineering, or Systems Engineering (ideal for regulated product security leadership).
#GKOSUS