Staff Product Security Eng – Cybersecurity – Draeger Medical Systems, Inc. – Job-ID V000003254

at Draeger
Location Andover, MA
Date Posted January 19, 2020
Category Default
Job Type Full-time


As an active member of product development cross functional teams, has responsibility for all program

cybersecurity deliverables per process.  Participates in architecture/design reviews and threat modeling

activities, helping to identify risks in new and existing products/systems.  Works with engineering

teams on how to best address individual cybersecurity vulnerabilities identified during threat modeling

and other review activities.  Complies with all internal and external processes.

1 Conduct monthly Nessus scans and report out results to maintain our DoD RMF certification.  Perform both pre and post release threat and vulnerability testing (pen testing, fuzz testing, etc.) looking for unmitigated cybersecurity threats/vulnerabilities in our products.

2 Create and release all Draeger process required program cybersecurity documents, and draft Manufacturer Disclosure Statements for Medical Device Security (MDS2) documents.  Draft responses to customer requested cybersecurity documents/inquiries.

3 Perform all work in compliance with all internal and external cybersecurity processes and regulations.

4 Participate in threat modeling activities and architectural/design reviews to help identify possible cybersecurity vulnerabilities.  Provide design guidance and potential mitigation solutions on identified vulnerabilities.

5 Review Software Bill of Materials (SBOM) looking for newer versions of listed software items.  For new versions, review and evaluate updates to identify any items that were released that address security vulnerabilities, scoring and documenting the results.  

6 Draft customer facing cybersecurity advisories when new cybersecurity vulnerabilities are discovered in released products where Draeger is required to notify publicly of such vulnerability.

7 Participate in post market release team reviews of cybersecurity field complaints, providing input on severity and probability scoring for each identified vulnerability.