What are the responsibilities and job description for the Sr. Product Security Engineer II position at Glaukos Corporation?
What You’ll Do:
The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position responsible for designing, implementing, and validating cybersecurity controls across the full medical device product lifecycle. This role is hands-on and technical, working directly with firmware, software, and system engineering teams to ensure our Windows and Linux based devices are secure by default and maintainable in the field. The role provides technical leadership on architecture, hardening, secure development practices, and vulnerability remediation to meet FDA cybersecurity expectations and industry best practices.
Security Architecture and Secure-by-Design Engineering
- Define and drive implementation of technical security requirements and risk mitigations for new products and features.
- Create and maintain security architecture diagrams and models, including trust boundaries, data flows, and security control placement.
- Lead threat modeling for device features and connectivity use cases (local, network, cloud, removable media, service interfaces).
- Specify and review security control designs for authentication/authorization, secure communications, cryptographic key handling, secure logging, secure storage, and secure update mechanisms.
- Embed secure development practices into the engineering lifecycle: threat modeling, secure design reviews, secure coding, peer review criteria, and security gates for releases.
- Work with IEC 81001-5-1 standard
Platform Hardening (Windows and Linux Devices)
- Partner with engineering teams to implement OS and application hardening measures, such as least privilege, service isolation, secure boot, host firewalling, and endpoint logging.
- Establish technical standards for account management, privilege management, remote access/service modes, and secure debug/manufacturing workflows.
Firmware and Software Security Engineering
- Work with firmware teams to improve security of embedded components, device interfaces, and update flows (signed firmware, integrity verification, rollback considerations).
- Work with software teams to implement secure coding practices and standards.
- Collaborate with QA to integrate automated security testing into regression and release pipelines.
- Generate and maintain technical security artifacts used for FDA-aligned submissions and internal design controls.
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation.
Documentation and Evidence
- Generate and maintain technical security artifacts used for FDA-aligned submissions and internal design controls.
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation.
Vulnerability & Incident Management
- Lead vulnerability assessment and mitigation activities for product software, firmware, OS components, and third-party libraries.
- Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
- Track and monitor vulnerability disclosures from third-party libraries and components.
Core Product Security Knowledge
- Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
- Risk management frameworks: NIST 800-53, NIST 800-30, ISO 27001, ISO 14971, and IEC 81001-5-1.
- Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
- Authentication and authorization mechanisms, identity management, and secure session handling. Secure coding standards (e.g., CERT C/C , OWASP, MISRA, CWE/SANS Top 25). Supply chain security concepts and SBOM management (SPDX, CycloneDX).
DevOps & Infrastructure Knowledge
- CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
- Common security testing tools: SAST, DAST, SCA, fuzzers, and pen-testing frameworks.
- Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
- Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
- Familiarity with FDA cybersecurity premarket and postmarket expectations as they relate to technical controls and objective evidence.
- Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
- Audit-ready documentation practices and traceability to design controls.
Cross-Functional Leadership
- Act as the security subject matter expert across product teams.
- Provide training and mentoring to engineers on secure design and coding practices.
- Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals
How You’ll Get There:
- 7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
- 3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
- Demonstrated experience with: - Designing or assessing security architectures for embedded or connected systems.
- Implementing secure development lifecycle (SDL) practices within engineering teams.
- Leading or participating in vulnerability management and coordinated disclosure processes.
- Collaborating cross-functionally (engineering, QA, regulatory, IT) to
- IEC 81001-5-1 standard
- Bachelor’s degree in Computer Science, Electrical/Computer Engineering, Cybersecurity, or a related field.
- Prior experience as a product security lead or security point of contact for a commercial medical or industrial product.
- Experience integrating security testing automation into CI/CD environments.
- Experience supporting external audits, penetration tests, or third-party security assessments.
- Knowledge and experience with IEC 81001-5-1 standard
Preferred
- Master’s degree in Cybersecurity, Software Engineering, or Systems Engineering (ideal for regulated product security leadership).
#GKOSUS
The Senior Product Security Engineer, based in Burlington Massachusetts, is a critical, high-level engineering position responsible for designing, implementing, and validating cybersecurity controls across the full medical device product lifecycle. This role is hands-on and technical, working directly with firmware, software, and system engineering teams to ensure our Windows and Linux based devices are secure by default and maintainable in the field. The role provides technical leadership on architecture, hardening, secure development practices, and vulnerability remediation to meet FDA cybersecurity expectations and industry best practices.
Security Architecture and Secure-by-Design Engineering
- Define and drive implementation of technical security requirements and risk mitigations for new products and features.
- Create and maintain security architecture diagrams and models, including trust boundaries, data flows, and security control placement.
- Lead threat modeling for device features and connectivity use cases (local, network, cloud, removable media, service interfaces).
- Specify and review security control designs for authentication/authorization, secure communications, cryptographic key handling, secure logging, secure storage, and secure update mechanisms.
- Embed secure development practices into the engineering lifecycle: threat modeling, secure design reviews, secure coding, peer review criteria, and security gates for releases.
- Work with IEC 81001-5-1 standard
Platform Hardening (Windows and Linux Devices)
- Partner with engineering teams to implement OS and application hardening measures, such as least privilege, service isolation, secure boot, host firewalling, and endpoint logging.
- Establish technical standards for account management, privilege management, remote access/service modes, and secure debug/manufacturing workflows.
Firmware and Software Security Engineering
- Work with firmware teams to improve security of embedded components, device interfaces, and update flows (signed firmware, integrity verification, rollback considerations).
- Work with software teams to implement secure coding practices and standards.
- Collaborate with QA to integrate automated security testing into regression and release pipelines.
- Generate and maintain technical security artifacts used for FDA-aligned submissions and internal design controls.
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation.
Documentation and Evidence
- Generate and maintain technical security artifacts used for FDA-aligned submissions and internal design controls.
- Maintain records of vulnerability assessments, mitigations, and patch processes.
- Support audit and inspection readiness with thorough, traceable documentation.
Vulnerability & Incident Management
- Lead vulnerability assessment and mitigation activities for product software, firmware, OS components, and third-party libraries.
- Coordinate cross-functional response to newly discovered vulnerabilities, including communication, remediation, and regulatory reporting.
- Track and monitor vulnerability disclosures from third-party libraries and components.
Core Product Security Knowledge
- Secure system and software design principles (least privilege, defense in depth, threat modeling, zero trust).
- Risk management frameworks: NIST 800-53, NIST 800-30, ISO 27001, ISO 14971, and IEC 81001-5-1.
- Cryptography fundamentals (key management, TLS, symmetric/asymmetric encryption, hashing).
- Authentication and authorization mechanisms, identity management, and secure session handling. Secure coding standards (e.g., CERT C/C , OWASP, MISRA, CWE/SANS Top 25). Supply chain security concepts and SBOM management (SPDX, CycloneDX).
DevOps & Infrastructure Knowledge
- CI/CD security practices, secrets management, container security (Docker, Podman), and artifact signing.
- Common security testing tools: SAST, DAST, SCA, fuzzers, and pen-testing frameworks.
- Familiarity with cloud infrastructure (AWS, or on-prem Linux environments).
- Incident response and vulnerability disclosure processes.
Regulatory & Documentation Knowledge
- Familiarity with FDA cybersecurity premarket and postmarket expectations as they relate to technical controls and objective evidence.
- Secure update/patch management strategies (aligned with FDA “updateability & patchability” expectations).
- Audit-ready documentation practices and traceability to design controls.
Cross-Functional Leadership
- Act as the security subject matter expert across product teams.
- Provide training and mentoring to engineers on secure design and coding practices.
- Partner with compliance, regulatory, and quality teams to align product security strategy with organizational goals
How You’ll Get There:
- 7–10 years total professional experience in software engineering, cybersecurity, or related technical fields.
- 3–5 years focused on product or embedded system security, ideally within regulated or safety-critical industries (medical device, aerospace, automotive, or defense).
- Demonstrated experience with: - Designing or assessing security architectures for embedded or connected systems.
- Implementing secure development lifecycle (SDL) practices within engineering teams.
- Leading or participating in vulnerability management and coordinated disclosure processes.
- Collaborating cross-functionally (engineering, QA, regulatory, IT) to
- IEC 81001-5-1 standard
- Bachelor’s degree in Computer Science, Electrical/Computer Engineering, Cybersecurity, or a related field.
- Prior experience as a product security lead or security point of contact for a commercial medical or industrial product.
- Experience integrating security testing automation into CI/CD environments.
- Experience supporting external audits, penetration tests, or third-party security assessments.
- Knowledge and experience with IEC 81001-5-1 standard
Preferred
- Master’s degree in Cybersecurity, Software Engineering, or Systems Engineering (ideal for regulated product security leadership).
#GKOSUS