Sr Product Security Researcher
Thermo Fisher Scientific

Job Description

The Sr Product Security Researcher, Product Security has global responsibility for the security associated with the company's Product Security program. They will perform research, testing and validation of a product and its associated platforms, and guide integration of solutions within the overarching CIS program. This includes policy, security awareness & education, application and vulnerability assessments, technological security controls and risk evaluation. The solutioning activities must support relevant Thermo Fisher products (such as instruments, devices, equipment, and other electronic and/or connected devices) and infrastructure.

Key Responsibilities:

• Work closely with key product development leaders to ensure security is incorporated in all product offerings.
• Support efforts to inject security into all levels of the product development process.
• Drive secure development and integration of security features into all phases of product, firmware and software design and development.
• Lead programs to ensure continuous development and improvement of security integration into the product development lifecycle.
• Partner with architecture and development teams to develop shared security frameworks to enable consistent application of secure coding standard methodologies across the enterprise.
• Build working relationships with product development partners to maintain and improve product and application security processes.
• Assist to maturing process, policy, and standards guidance.
• Educate key partners on program, risks, and importance of security in our products and environment.
• Work with business units to identify, collect, call out, and close security vulnerabilities found in Thermo Fisher products and infrastructure; Leverage tools to deliver vulnerability information back to the development organization for remediation.
• Mentor others in what constitutes secure product activities.
• Perform research activities on existing and in development products and/or infrastructure to resolve security capabilities and discover unknown risks.
• Build testing approaches and perform testing activities on products and/or infrastructure to resolve vulnerabilities, validate remediation, and reduce overall risk profiles.
• Proactively ensure that applicable regulatory mandates are addressed with appropriate controls.
• Coordinate/participate in and perform design reviews, peer reviews, and code reviews.
• Ensure excellent consistency, documentation, and process across all programs.
• Coordinate with security risk assessments for new and existing products through the risk assessment team.
• Collaborate with other groups (e.g., Risk Management, Internal Audit, HR, Legal, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution.
• Creation of product whitepapers throughout the product lifecycle.
• Creation of security bulletins to address new or evolving threats to products and infrastructure.
• Travel up to 25% and on-call/after hours duties may be required.

• Deep knowledge of IoT and digital device research methods, variables and parameters including analysis, testing and documentation.
• Deep understanding of cryptography, authentication, authorization, network security protocols, and application security.
• Solid understanding of how to connect new and changing threats to IoT portfolio to build mitigating or compensating activities.
• Strong exposure to popular application security standards including OWASP TOP 10, CSC 20 etc.
• Bachelor's Degree in Information Assurance, Information Security, Management Information Systems, Risk Management, or Computer Science (Master's Degree a plus) or equivalent field experience.
• Relevant technical certificates a plus (OSCP, SANS, GIAC, etc).
• 5+ years of related work experience with security consulting, product security, secure software development, risk assessment, and/or vulnerability management.
• Solid interpersonal and documentation skills are a must.
• Ability to explain and promote technical concepts.
• Solid attention to detail, organizational skills.
• Strong customer service skills required.
• Excellent verbal and written communication skills and the ability to communicate professionally with a diverse group, executives, managers, and domain experts.
• The ideal candidate will have hands on experience in one or more of the following areas: Hardware System Integration, Signal and Power Integrity, RF Systems, Wi-Fi, Bluetooth, Wireless Communications, TCP/IP, Network and Application Penetration Testing.