Senior Product Security Engineer Vulnerability Management

Primary Function:
The Product Cybersecurity Team is responsible for the security lifecycle of medical devices software
products infrastructure cloud services and IoMT solutions that generate collect and analyze medical
device machine data from thousands of systems deployed world-wide.

The ideal candidate for the position of Senior Product Security Engineer is an accomplished security engineer
with demonstrated experience in the secure design development and management of complex medical
device applications and systems. The candidate has solid cybersecurity knowledge comprising detailed
understanding of cybersecurity threats secure software design principles secure coding practices and
knowledge of cryptographic tools and libraries. The candidate can review product cybersecurity
vulnerabilities; can recommend improvements in security design and can support remediation. The
candidate routinely conducts threat modeling vulnerability management and product line security
management activities.

This position requires a candidate with strong technical and interpersonal skills the ability to work
effectively and collaboratively with the business and peer Engineering teams to deliver high quality
solutions that ensure patient safety

What youll do

• Own and operate the post-market vulnerability management lifecycle across Intuitive products and services from intake through remediation and closure
• Perform and operationalize ongoing vulnerability scanning for internal and external assets including medical devices digital applications infrastructure cloud services and IoMT solutions
• Manage monthly quarterly and annual vulnerability scans and penetration tests including coordination with third-party providers to meet regulatory and compliance requirements
• Define scan scope rules of engagement and schedules with external vendors to ensure coverage quality and on-time delivery
• Analyze vulnerability findings to assess real-world risk prioritizing issues based on exploitability exposure patient safety and business impact
• Review and synthesize results from scans and penetration tests delivering clear prioritized remediation guidance to engineering and product stakeholders
• Track remediation activities to completion ensuring alignment with compliance obligations and internal risk acceptance criteria
• Maintain vulnerability inventories repositories and metrics to support ongoing reporting and audits
• Prepare and deliver vulnerability reports dashboards and technical risk evaluations for monthly quarterly and annual reviews
• Support risk-based vulnerability assessments across the post-market product portfolio
• Conduct ad-hoc vulnerability scans and analyses in support of incident response customer inquiries and emerging threat activity
• Identify vulnerability trends and patterns to inform preventative controls and long-term risk reduction
• Advise remediation teams on effective mitigation strategies and secure engineering practices
• Support the development maintenance and monitoring of Software Bills of Materials (SBOMs) as part of vulnerability tracking and reporting
• Contribute to the design improvement and operation of vulnerability management processes standards and security policies
• Maintain vulnerability management procedures and playbooks supporting leadership service teams and audit stakeholders
• Partner closely with Product Security Engineering Quality Incident Response and service teams through regular check-ins and coordinated execution
• Support incident response activities and investigations related to product vulnerabilities
• Help elevate organizational awareness of emerging threats and in-market vulnerabilities and how Intuitive proactively manages risk

What youll bring

• Hands-on experience owning post-market vulnerability management or product security workflows in a regulated or safety-critical environment
• Strong understanding of vulnerability lifecycles including intake triage validation prioritization remediation tracking verification and reporting
• Practical experience assessing real-world risk using frameworks such as CVE CVSS CWE OWASP Top 10 and SANS guidance
• Experience coordinating third-party security assessments including vulnerability scanning and penetration testing engagements
• Ability to translate technical findings into clear actionable remediation guidance for engineering and product teams
• Strong judgment in balancing security risk compliance requirements and product realities
• Familiarity with secure software design principles secure coding practices and threat modeling
• Working knowledge of cryptographic tools libraries and common security controls
• Experience supporting audit compliance and regulatory reporting related to product security
• Exposure to SBOMs third-party component risk and software supply chain security
• Comfort operating across hardware software firmware and cloud environments with the ability to learn new domains quickly
• Strong analytical skills with a track record of solving complex technical and operational problems
• Excellent collaboration and communication skills with the ability to influence cross-functional teams without direct authority
• Ability to manage multiple workstreams vendors and stakeholders while maintaining responsiveness and operational rigor
• A mindset oriented toward continuous improvement adaptability and building scalable security processes

Qualifications :

Qualifications 

Demonstrated technical knowledge and experience in the following areas: 

• Experience in vulnerability management information assurance security operations and penetration testing
• Ability to plan manage and execute multiple tasks and projects within defined timelines
• Operating the vulnerability scanning tool set may include Qualys Nessus Gitlab Black Duck etc
• Excellent verbal written and presentation communication skills. Ability to clearly articulate risk and provide actionable remediation guidance

Desired Qualifications: 

• Bachelors degree or higher preferred in Cybersecurity or a closely related field or an equivalent combination of education training and experience
• Current relevant professional certifications such as GPEN GWAPT GEVA CEPT OSCP OSCE a plus
• Prior experience in healthcare medical device or bioscience sectors a plus
• Knowledge of the OWASP Top 10 
• Demonstrated knowledge and skill in exploitation tactics including but not limited to buffer overflows heap overflows format string attacks cross-site scripting SQL injection LFI and RFI cross-site request forgery server-side request forgery XXE pass-the-hash ARP poisoning wi-fi injection phishing credential harvesting MiTM AP spoofing brute forcing etc
• Able to demonstrate risk with post-exploitation tactics such as pivoting data scavenging privilege escalation etc
• Familiarity of security concepts e.g. best practices to protect CIA types of security controls CIS Top 20 Security Controls risk management risk analysis models threat modeling common vulnerability scoring system (CVSS)
• Familiarity of the Cyber Kill Chain and MITRE ATT&CK frameworks 

Travel: <10%
Job location: Sunnyvale CA or remote

Additional Information :

Due to the nature of our business and the role please note that Intuitive and/or your customer(s) may require that you show current proof of vaccination against certain diseases including COVID-19.  Details can vary by role.

Intuitive is an Equal Opportunity Employer. We provide equal employment opportunities to all qualified applicants and employees and prohibit discrimination and harassment of any type without regard to race sex pregnancy sexual orientation gender identity national origin color age religion protected veteran or disability status genetic information or any other status protected under federal state or local applicable laws.

Mandatory Notices

U.S. Export Controls Disclaimer:  In accordance with the U.S. Export Administration Regulations (15 CFR 743.13(b)) some roles at Intuitive Surgical may be subject to U.S. export controls for prospective employeeswho are nationals from countries currently on embargo or sanctions status.

Certain information you provide as part of the application will be used for purposes of determining whether Intuitive Surgical will need to (i) obtain an export license from the U.S. Government on your behalf (note: the governments licensing process can take 3 to 6 months) or (ii) implement a Technology Control Plan (TCP) (note: typically adds 2 weeks to the hiring process).  

For any Intuitive role subject to export controls final offers are contingent upon obtaining an approved export license and/or an executed TCP prior to the prospective employeesstart date which may or may not be flexible and within a timeframe that does not unreasonably impede the hiring need. If applicable candidates will be notified and instructed on any requirements for these purposes. 

We will consider for employment qualified applicants with arrest and conviction records in accordance with fair chance laws.

Preference will be given to qualified candidates who do not reside or plan to reside in Alabama Arkansas Delaware Florida Indiana Iowa Louisiana Maryland Mississippi Missouri Oklahoma Pennsylvania South Carolina or Tennessee.

We provide market-competitive compensation packages inclusive of base pay incentives benefits and equity. It would not be typical for someone to be hired at the top end of range for the role as actual pay will be determined based on several factors including experience skills and qualifications. The target compensation ranges are listed.

Remote Work :

No

Employment Type :

Full-time