Senior Product Security Engineer
Belmont, CA

Job Description

At Roche, we believe it's urgent to deliver medical solutions right now - even as we develop innovations for the future. We are passionate about transforming patients' lives. We are courageous in both decision and action. And we believe that good business means a better world.

Within our Belmont location, we are seeking a highly motivated professional with experience in Security, Privacy and Compliance to join our dynamic team. As a Senior Product Security Engineer, this person will be part of a Purple Team playing an essential role in establishing and implementing cyber defense controls to protect sensitive data in medical devices and decision support products in the cloud (the NAVIFY product portfolio).

Responsibilities:

* Define and implement security and privacy patterns and standards for Roche medical devices and decision support products in the cloud, the NAVIFY product portfolio during all product development stages
* Support the development of services and infrastructure configurations providing security and privacy controls
* Define the appropriate scenarios and prioritize relevant attack patterns managing internal and external penetration tests and Red/Blue team exercises on a product environment
* Support security incident response and forensic activities working directly with the Roche Cyber Defense teams
* Integrate and manage SAST, DAST and IAST tools to the CI/CD pipelines
* Manage vulnerabilities at all technology layers during pre and post market evaluating the criticality for an adequate prioritization and providing the most suitable remediation working directly with the product team
* Evangelize security and privacy developing Security Champions across departments involved in the product development and operations
* Generate security and privacy related documentation with high quality for internal and external compliance
* Maintain the product security controls and awareness supporting the Product Security Governance teams

Requirements:

* BA/BS in Business, Information Systems, Computer Science or a relevant area of study required
* Minimum 4 years of related work experience in Security Engineering, Privacy & Risk Management
* Minimum 3 years of related work experience with SDLC and cloud environments
* Demonstrated soft skills: problem solving, leadership, communication, teamwork, flexibility and adaptability
* Demonstrated experience in AWS cloud provisioning tools (CloudFormation or Terraform)
* Demonstrated experience in configuration management tools (Ansible, Salt or Chef)
* Demonstrated experience in application security and OWASP framework
* Demonstrated experience working with Developers and DevOps Engineers and securing the Software Development LifeCycle (SDLC)
* Demonstrated experience automating security controls (desired languages: Shell scripting, Python)
* Demonstrated experience supporting security and/or privacy audits
* In-depth experience in managing information security and privacy risks and threat modeling
* In-depth experience in vulnerability handling pre and post-market
* In-depth experience in system and cloud infrastructure hardening
* Strong understanding of HIPAA and GDPR is highly preferred
* Strong understanding of industry standards: ISO 27000 family and HITRUST is highly preferred
* Certifications are a plus: SANS GIAC (GCIH, GPEN, GCIA, GCFA and others), CEH, CISSP, CISA, CISM, LAISO27001

Roche is an equal opportunity employer.

Engineering, Engineering > Design Engineering & Architecture