Jobs · Engineering · Colorado

Sr DevSecOps Engineer

Medtronic · Lafayette, CO · 1 wk ago
On-siteEngineering$125k–$187k/yrFull-time

About the role

The Sr DevSecOps Engineer will lead secure embedded platform enablement for new and existing medical device development programs. This role is part of the Embedded OS Platforms Team, which delivers the core software infrastructure and foundational system components that enable operation of the application software.

Responsibilities

  • Define and own the DevSecOps architecture and roadmap for embedded capital equipment platforms, including CI/CD pipelines, build infrastructure, security automation, release evidence, and long-term maintainability.
  • Create and support Yocto-based embedded Linux distributions, BSP software, device drivers, hypervisors, and platform-level OS components.
  • Establish secure software supply chain practices, including SBOM generation, SOUP/OTS component tracking, license awareness, vulnerability monitoring, end-of-support tracking, and remediation workflows.
  • Develop reusable CI/CD templates and pipeline controls for static analysis, software composition analysis, unit test automation, artifact signing, provenance tracking, cybersecurity evidence capture, and release readiness.
  • Lead threat modeling and cybersecurity risk analysis for embedded platform components, including asset identification, attack surface analysis, exploitability assessment, security controls, and traceability to risk mitigations.
  • Drive CVE intake, enrichment, asset mapping, triage, risk scoring, remediation planning, validation, and reporting in partnership with Product Security, SWQA, Systems, and program teams.
  • Design and implement secure boot, firmware signing, cryptographic configuration, key/certificate lifecycle support, authenticated update mechanisms, and secure device communication patterns.
  • Define runtime security monitoring requirements and support post-market cybersecurity monitoring and vulnerability response workflows.
  • Review reported anomalies, assess cybersecurity impact, and support incident-response activities as needed.
  • Support regulatory submissions and audits by ensuring cybersecurity, software lifecycle, and DevSecOps evidence is complete, traceable, reproducible, and aligned with internal quality system expectations.
  • Define platform-level OS and BSP maintenance strategies, including Linux kernel support, Yocto release planning, driver update strategy, patchability, and security update governance across the product lifecycle.
  • Collaborate with external vendors and internal partners to evaluate security tooling, embedded Linux support models, vulnerability intelligence, penetration testing outputs, and long-term maintenance approaches.
  • Provide technical leadership and mentoring to software engineers, DevOps engineers, and platform teams on secure coding, build automation, vulnerability handling, and regulated software development practices.
  • Partner with product teams to define platform capabilities that are reusable, secure, testable, and scalable across multiple capital equipment programs.

Requirements

  • Strong understanding of FDA cybersecurity expectations, IEC 62304, ISO 14971, ISO 13485, SOUP/OTS software management, SBOM practices, and software lifecycle evidence generation.
  • Experience implementing security automation in CI/CD pipelines, including SAST, SCA, container scanning, artifact signing, build reproducibility, traceability, and vulnerability reporting.
  • Strong experience with threat modeling, vulnerability assessment, cybersecurity risk analysis, and secure-by-design architecture reviews.
  • Experience with CVE triage methods that include exploitability, asset exposure, configuration applicability, runtime reachability, known exploited vulnerabilities, and remediation validation.
  • Hands-on experience with AMD/Xilinx SoC-based embedded systems, including AMD Zynq 7000 series, Zynq UltraScale+, Kria SOM, and the NVIDIA ORIN platform.
  • Experience with real-time operating systems such as SafeRTOS and QNX Neutrino.
  • Experience with Yocto, BSPs, OS layers, kernel configuration, boot flows, device drivers, and embedded platform security.
  • Experience developing or governing DevSecOps practices in regulated medical device, safety-critical, aerospace, automotive, or industrial control environments.
  • Ability to collaborate across hardware, software, systems, product security, quality, regulatory, program management, and product management stakeholders.
  • Demonstrated ability to influence cross-functional engineering and leadership decisions without direct authority.
  • Experience defining reusable platform practices across multiple products, programs, hardware variants, or software release branches.
  • Strong debugging, problem-solving, and root-cause analysis skills.
  • Strong technical communication skills with the ability to translate cybersecurity and DevSecOps risks into actionable engineering and leadership decisions.

Qualifications

  • Bachelor's degree and minimum of 4 years of relevant experience OR Master's degree with a minimum of 2 years relevant experience OR PhD with 0 years relevant experience.

Similar jobs

Sr. DevSecOps Engineer

CACI International IncFairfax, VA· 4 days ago
Engineeringapply on searchcareers.caci.com

Sr. DevSecOps Engineer

UICGS / Bowhead Family of CompaniesSan Diego, CA· 4 days ago
Information Technologyapply on bowheadcareers-uicalaska.icims.com