Staff Engineer- Product Security SME

Work Flexibility: Hybrid

What you will do

• Act as subject matter expert on secure lifecycle for a digital product eco system
• Responsible for understanding the overall technical capabilities of a product, typical deployment scenarios
• Partner with product teams to perform threat modeling and drive the associated security requirements.
• Help product teams to prioritize roadmap items to balance security and business risks.
• Work closely with product teams in assessing the risks, mitigations and preparing responses to external organizations.
• Perform manual and automated security code review for complex Desktop, Web and Mobile applications to identify security flaws.
• Leverage DevSecOps to embed security testing into all phases of SDLC to eliminate the repeated steps and drive efficiency (SAST, DAST and IAST)
• Formulates security testing needs
• Supports RnD to implement security risk controls and findings from internal/external audits
• Defines post market monitoring plan including pen tests
• Supports post market vulnerability assessments.This role is part of product security team under Digital Technologies for Trauma and Extremities that is responsible for overall security posture of a product line.

What you need

Must Have skills:

• Bachelor’s in Software/Electronics Engineering or equivalent degree.
• Overall 7-10 years of hands-on experience involving software and hardware platforms.
  •   7+ years of experience in the field of security involving Thick Client, Web and Mobile applications.
  •   Experience in testing interfaces like USB, WiFi, Ethernet, Bluetooth etc is a plus
  •   Experience working with software development teams
  •   Experience in NIST framework like using NIST SP 800-53 controls
• Experience in automation of routine tasks using tools like Jenkins and/or scripting languages such as PowerShell, Ruby or Python.
• Experience in web application security testing tools like Nessus, Metasploit, Burp Suite, SQL map, OWASP ZAP Proxy, HP Fortify.

Good to Have skills:

• Knowledge in CWE, OWASP Top 10 and WASC THREAT CLASSIFICATION 2.0 methodologies
• Integrating tools like Synopsys Blackduck, Sonatype Nexus-IQ, etc for Software Composition Analysis
• Professional certificate like CEH, SSCP, CompTIA CySA+/Security+ ,OSCP
• Excellent communication and interpersonal skills.
• Deep technical understanding of common security vulnerabilities and risks, as well as countermeasures and compensating controls

Travel Percentage: 50%