Principal Product Cybersecurity Engineer (Boston Hybrid - 3 days on site)
Haemonetics · Boston, MA · 1 wk ago
Information Technology$104k–$176k/yrFull-time
Key Responsibilities
- Secure Product Development & SaMD Security
- Embed security into the medical device and SaMD SDLC, including secure design reviews, threat modeling, and security requirements definition.
- Perform threat modeling and architecture reviews for: Device software and firmware, Cloud-connected services and APIs, Mobile and web applications supporting medical devices.
- Define and validate security controls for authentication, authorization, encryption, and data protection in patient-impacting systems.
- Partner with Quality and Regulatory teams to ensure cybersecurity requirements are documented, traceable, and auditable. Cloud & Backend Product Security (AWS)
- Secure AWS-hosted product backends supporting medical devices and SaMD.
- Design and review security architectures using AWS services.
- Implement product-focused logging, monitoring, and threat detection.
- DevSecOps & Supply Chain Security
- Integrate security testing into CI/CD pipelines, including SAST, DAST, dependency scanning, container scanning, and secrets detection.
- Establish and maintain SBOM practices and third-party component governance for medical device software.
- Define and enforce secure standards for container images, including hardening, scanning, signing, and runtime protections.
- Support secure build, artifact signing, and release integrity controls.
- Vulnerability Management & Post-Market Cybersecurity
- Support product vulnerability intake, triage, and remediation across device software and cloud services.
- Assist with vulnerability disclosure, security advisories, and post-market cybersecurity activities.
- Collaborate with incident response teams to investigate and contain product-related security events.
- Technical Leadership
- Serve as the product security subject matter expert for engineering teams.
- Mentor engineers and influence secure design decisions through practical guidance and standards.
- Drive continuous improvement in product security maturity and resilience.
Required Qualifications
- 10+ years of experience in cybersecurity engineering with a strong focus on product and application security.
- Direct experience securing medical devices, connected devices, or SaMD in a regulated healthcare environment.
- Strong understanding of: Secure SDLC and DevSecOps practices, Threat modeling methodologies, OWASP Top 10 and API security risks.
- Hands-on experience with AWS cloud security in support of products and services.
- Familiarity with healthcare and product security frameworks, including NIST CSF/800-53 and ISO 27001.
- Ability to work effectively across Engineering, Quality, Regulatory, and Product teams.
Preferred Qualifications
- Experience with medical device standards and guidance, including: IEC 62304, ISO 14971, ISO 13485, FDA cybersecurity expectations, UL 2900, AAMI TIR57/TIR97, EU MDR and IEC 81001‑5‑1.
- Exposure to CSPM, CIEM, or cloud workload protection platforms.
- Certifications (One or More Required): CISSP (ISC²) or CISM (ISACA), CompTIA Security+, CySA+, GIAC certifications (e.g., GSEC, GWAPT, GPEN).
- Experience with AWS Certified Security – Specialty, CCSP (ISC²).
- Tools & Technologies: Cloud: AWS (IAM, VPC, ECS, Lambda, S3, RDS, KMS, CloudTrail, GuardDuty), Product Security: Veracode - SAST/DAST, dependency & container scanning, SBOM, DevOps: AWS CI/CD pipelines, Infrastructure as Code (Terraform).