Job ID 2100070J
Available Openings 1
PURPOSE AND SCOPE:
The Sr. Product Security Architect partners with our product development and engineering organizations to enable them to build and enhance security in Fresenius Medical Care's products and services. The ideal candidate possesses strong security and systems experience and has worked with medical devices, digital platforms, cloud, mobile, and/or embedded/IoT device ecosystems in a cross-functional environment. As a trusted technical partner, expert, and thought leader, this role will help shape the future of Fresenius's core product portfolio and digital transformation. The execution of your primary roles and responsibilities will be largely unsupervised and requires a high degree of self-motivation. You will apply a practical, risk-based approach while both leading and advising product teams in the security domains. This is a highly technical role with approximately 80% as architect/designer/advisor. Fresenius is looking for a contributing team member to assist in maturing our overall product security program, mentor others, and be a hands-on partner to our product teams to deliver innovative and secure products and experiences to customers.
PRINCIPAL DUTIES AND RESPONSIBILITIES:
- Establish best practices for the effective avoidance, identification, and resolution of security weaknesses in products, services, and related processes for FMC products and services.
- Engage with product teams as both advisor and contributing team member to enable building security into complex systems across the entire product lifecycle (from concept through deployment and use), including conducting security reviews and coordinating penetration testing.
- Lead & Partner with developers and testers in security activities during the product lifecycle, such as secure design reviews/threat modeling, security code reviews, security test planning, and component security hardening, to identify potential security weaknesses.
- Innovate on technical solutions to solve security challenges in product architecture, implementation, testing, release, and operations.
- Coordinate and guide the response to security vulnerabilities that are reported by 3rd party researchers or customers against released products and services.
- Work closely with other security professionals in Information Security or other groups at Fresenius Medical Care to execute key functions such as secure code signing, secure manufacturing, and secure product operations.
- Interact with development and manufacturing partners to enable security of product components in the supply chain.
- Keep abreast of advances in secure system design and development practices, threats and threat actors, and new attack techniques or areas of security research, and provide guidance to the product organizations to help them avoid or mitigate future security concerns.
- Contribute to the risk management process for product development.
- Core architecture community member of the the product security program at Fresenius Medical Care (contributing to security program design, developing product security standards and processes, and defining appropriate program metrics. Help drive maturity and adoption of the overall program).
- Participate as a senior contributor to the broader Fresenius Medical Care security programs (information/data) representing product security and connecting it into the overall security framework and program.
- Participate as a CFT (Cross Functional Team) or CTT (Cross Technical Team) member as assigned.
- Perform analysis and execute POCs (Proof of Concepts) or POFs (Proof of Feasibility) initiatives covering medical device security and advanced cryptography.
- Other duties as assigned.
Additional responsibilities may include focus on one or more departments or locations. See applicable addendum for department or location specific functions.
PHYSICAL DEMANDS AND WORKING CONDITIONS:
- The physical demands and work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- Bachelor's Degree in related engineering or scientific discipline required; Advanced Degree desirable
EXPERIENCE AND REQUIRED SKILLS:
- 5 – 8 years' related experience; Master's degree a plus.
- Secure software / systems development lifecycle experience (e.g. Microsoft SDL, OpenSAMM, CMMI-Dev+Secure);
- Demonstrable knowledge and experience in one or more of the following areas:
- System security engineering
- Embedded device security
- Application or system hardening
- Security Testing / Penetration Testing
- Mobile application security
- Cloud security
- Forensics or reverse engineering
- Knowledge of common security standards and best practices, such as NIST 800-53/800-160, ISO 270xx, CWE, CVSS, OWASP Top 10, CERT Secure Coding Standards.
- Experience with Cryptographic Libraries (EX: wolfssl/openssl)
- Core knowledge of Certificate Based Authentication & PKI
- Experience leading secure architecture, design, and code reviews.
- Direct development experience in languages including C/C++ (x86 or ARM), Python, and Java; Go or Swift experience desirable.
- Certified Software Security Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP) certification, SANS GIAC Certified Incident Handler (GCIH), or SANS GIAC Certified Penetration Tester (GPEN) or equivalent certification
- Experience with CI/CD tools and practices
- Experience in Waterfall, Agile, DevOps, and/or V-Model development methodologies
- Experience with any of the application security tools as SonarQube, Fortify, Clang preferred
- Experience using CIS Security benchmarks or US DISA Security Technical Implementation Guides
- Prior or current involvement in industry security initiatives such as IETF, OWASP, ISO, CWE, BSIMM, Cloud Security Alliance, or any open-source project related to security
- Experience with the Industrial or Consumer Internet of Things (IoT) products
- Familiarity with US FDA cybersecurity requirements or Automotive security requirements desirable
- Understanding of functional safety (FDA, Automotive) and/or privacy requirements desirable
- Teaching or technical consultation experience desirable
- Competence in resolving problems/conflicts in a diplomatic and tactful manner.
- Experienced and comfortable making risk-based recommendations and judgments.
- Excellent written and verbal communication skills; must understand and be able to deliver security concepts and challenges to various levels within the organization (e.g. developers, program management, business leaders).
EO/AA Employer: Minorities/Females/Veterans/Disability/Sexual Orientation/Gender Identity
Fresenius Medical Care North America maintains a drug-free workplace in accordance with applicable federal and state laws.
Apply on company website