Product Security Engineer

Job Description

Primary Function:

The Product Cybersecurity Team is responsible for the security lifecycle of medical devices, software products, infrastructure, cloud services, and IoMT solutions that generate, collect and analyze medical device machine data from thousands of systems deployed world-wide.

The ideal candidate for the position of Product Security Engineer III is an accomplished security engineer, with demonstrated experience in the secure design, development, and management of complex medical device applications and systems. The candidate has solid cybersecurity knowledge, comprising detailed understanding of cybersecurity threats, secure software design principles, secure coding practices and knowledge of cryptographic tools and libraries. The candidate can review product cybersecurity vulnerabilities; can recommend improvements in security design, and can support remediation. The candidate routinely conducts threat modeling, vulnerability management, and product line security management activities.

This position requires a candidate with strong technical and interpersonal skills, the ability to work effectively and collaboratively with the business and peer Engineering teams to deliver high quality solutions that ensure patient safety.

Roles & Responsibilities:

Product Security (20%)

• Assist product teams with defining and shaping Product Security strategy.
• Provide cybersecurity guidance and recommendation to Program & Product teams.
• Provide teams with technical security guidance as part of developing a product marketing strategy.
• Perform Product Security resource management in support of Intuitive product programs/projects.
• Where necessary, support third-party vendor oversight in support of program/project-related Product Security activities.
• Provide Product Cybersecurity support & recommendation to product road-mapping activities.
• Support communication of product cybersecurity strategy as an element of overall product strategy.
• Assist in Product Security Incident Response Team (PSIRT) analysis & response.

Risk Management (20%)

• Ensure that product cybersecurity risk meets product risk acceptance objectives.
• Provide product cybersecurity risk management guidance and expertise to projects, peers or external inquires.
• Design, implement and maintain common product cybersecurity risk registers.
• Implement, review, and assess the results of product cybersecurity risk assessments for both internal and third-party systems and components.
• Recommend, document, and monitor the implementation of any corrective actions resulting from product cybersecurity risk assessments.
• Perform product cybersecurity risk analysis and risk management for compliance-based initiatives.
• Research new trends in cybersecurity risk management, standards, technologies and framework revisions

SDLC And Product Delivery (15%)

• Assist in leading and overseeing product cybersecurity Secure Product Development Framework (SPDF) and Software Development Lifecycle (SDLC) practices.
• Gather and review product cybersecurity compliance requirements as a component of Security by Design initiatives.
• Assess product cybersecurity as a component of product designs and architectures.
• Prescribe and evaluate secure coding standards as a component of SPDF and SDLC.
• Support product cybersecurity testing and remediation as a component of SPDF and SDLC.
• Through review of Software Bill of Material (SBOM), Software of Unknown Provenance (SOUP) and security tools environments, assess third-party component security as an element of overall product cybersecurity posture.
• Perform hardware, software, and application cybersecurity threat modeling.

Vulnerability Assessment & Penetration Testing (10%)

• Support development, communication, and execution of vulnerability scanning, secure code review, and penetration testing plans.
• Support scoping engagements and contribute to Statements of Work for external assessment activities.
• Provide hands-on support and expertise to ongoing vulnerability assessment and penetration testing activities.
• Analyze and present findings and/or remediation guidance associated with vulnerability assessment activities.

Security Engineering (10%)

• Support product teams with guidance and recommendations for infrastructure security design.
• Perform vulnerability assessments as required
• Support hardening of systems to meet product cybersecurity and cyber resilience requirements.
• Provide guidance and recommendations in evaluation of new security products and solutions.

Architecture And Design (10%)

• Determine applicable security requirements and security controls as a component of security design.
• Perform vulnerability analysis and risk assessments of product and system architectures.
• Develop product cybersecurity reports, supporting compliance audits and security assessments.
• Develop and maintain product cybersecurity architecture diagrams & design documents.
• Remain current on the evolving landscape of product cybersecurity frameworks, methodologies, and procedures.
   

Qualifications

Skills, Experience, Education, and Training:

• Bachelor’s degree in Computer Science, Computer Security, or relevant discipline
• 4+ years of experience
• Passion for understanding and researching new vulnerabilities and exploitation techniques
• Proficient in complex network design (firewalls, load-balancing, TLS, switching and routing
• Practical knowledge of OWASP Top Ten, how to discover, triage, verify and resolve the issues
• Knowledge of common security flaws and resolution as published by SANS, CWE, CVE, CVSS etc.
• Understanding of application threat modeling, secure coding principles and SDLC security best practices
• Demonstrated knowledge of TCP/IP, SSL/TLS, HTTP, switching and routing, Windows & Linux OS, Relational SQL databases
• Demonstrated experience with security tools (Splunk, Syslog, Nessus, nMap, Metasploit, Nexpose, Nessus, Coverity, Checkmarx, et al).
• CISSP, GCIA, GIAC, GISF, GSEC, SSCP, OSCP, OSWE or equivalent certification preferred.
• Hands-on engineering experience with proven ability to work well in a team environment
• Strong analytic skills as proven by a track record of analyzing and fixing complex problems in products and processes.
• Demonstrated good judgment in the presence of competing priorities and incomplete data; proven ability to make difficult trade-offs with good judgment.
• Travel: <10%

Additional Information

Due to the nature of our business and the role, please note that Intuitive and/or your customer(s) may require that you show current proof of vaccination against certain diseases including COVID-19.  Details can vary by role.

Intuitive is an Equal Opportunity Employer. We provide equal employment opportunities to all qualified applicants and employees, and prohibit discrimination and harassment of any type, without regard to race, sex, pregnancy, sexual orientation, gender identity, national origin, color, age, religion, protected veteran or disability status, genetic information or any other status protected under federal, state, or local applicable laws.

Mandatory Notices

U.S. Export Controls Disclaimer:  In accordance with the U.S. Export Administration Regulations (15 CFR §743.13(b)), some roles at Intuitive Surgical may be subject to U.S. export controls for prospective employees
who are nationals from countries currently on embargo or sanctions status.

Certain information you provide as part of the application will be used for purposes of determining whether Intuitive Surgical will need to (i) obtain an export license from the U.S. Government on your behalf (note: the government’s licensing process can take 3 to 6+ months) or (ii) implement a Technology Control Plan (“TCP”) (note: typically adds 2 weeks to the hiring process).  

For any Intuitive role subject to export controls, final offers are contingent upon obtaining an approved export license and/or an executed TCP prior to the prospective employee’s
start date, which may or may not be flexible, and within a timeframe that does not unreasonably impede the hiring need. If applicable, candidates will be notified and instructed on any requirements for these purposes. 

We will consider for employment qualified applicants with arrest and conviction records in accordance with fair chance laws.

Preference will be given to qualified candidates who do not reside, or plan to reside, in Alabama, Arkansas, Delaware, Florida, Indiana, Iowa, Louisiana, Maryland, Mississippi, Missouri, Oklahoma, Pennsylvania, South Carolina, or Tennessee.

This position may be filled at a different job level than listed here depending on
business need and/or on the selected candidate’s experience, knowledge and skills.
Compensation will be based primarily on the job level at which the role is filled and the
candidate’s qualifications, consistent with applicable law.

We provide market-competitive compensation packages, inclusive of base pay, incentives, benefits, and equity. It would not be typical for someone to be hired at the top end of range for the role, as actual pay will be determined based on several factors, including experience, skills, and qualifications. The target compensation ranges are listed.