Sr Penetration Tester

Work Schedule
Standard (Mon-Fri)

Environmental Conditions
Office

Job Description

The Sr. Product Security Researcher, has global responsibility for
ensuring the security of the organization's products and assets by
performing research, penetration testing and remediation validation
of the product and its associated platforms. They will guide
integration of robust solutions within the overarching CIS program.
This includes policy, security awareness & education, application and
vulnerability assessments, technological security controls and risk
evaluation. The solutioning activities must support relevant Thermo
Fisher products (such as instruments, devices, equipment, other

electronic and/or connected devices) and infrastructure.
Key Responsibilities:
Perform penetration testing activities and on products and/or
infrastructure to resolve vulnerabilities, validate remediation, and
reduce overall risk profiles.
Build detailed guidance for commonly encountered vulnerabilities and
relevant remediation steps.
Create and enhance current methodologies for penetration testing
which builds on industry standards and guidance from established
agencies such as CISA and the FDA.
Coordinate on security risk assessments for new and existing products
through the pre- and post-market teams.
Build working partnerships with product development leaders and
peers to drive secure development and integration of security features

into all phases of product, firmware, software design processes and
product development lifecycle.
Collaborate with architecture and development teams to develop
shared security frameworks to enable consistent application of secure
coding standard methodologies across the enterprise.
Educate key partners on program, risks, and importance of security in
our products and environment.
Work with business units to identify, collect, call out, and close
security vulnerabilities found in Thermo Fisher products and
infrastructure; Leverage tools to deliver vulnerability information
back to the development organization for remediation.
Mentor others in what constitutes secure product activities.
Coordinate/participate in and perform design reviews, peer reviews,
and code reviews.
Ensure excellent consistency, documentation, and process across all
programs.
Collaborate with other departments (e.g., Risk Management, Internal
Audit, HR, Legal, etc.) to direct compliance issues to appropriate
existing channels for investigation and resolution.
Creation of security bulletins to address new or evolving threats to
the company's assets and products.
Travel up to 25% and on-call/after hours duties may be required.
Minimum Requirements/Qualifications:
Deep knowledge of IoT and digital device research methods, variables
and parameters including analysis, testing and documentation.
Deep understanding of cryptography, authentication, authorization,
network security protocols, and application security.
Strong exposure to application security standards including OWASP
TOP 10, CSC 20, etc.
Familiarity with regulations and requirements surrounding medical
devices and IoT such as FDA pre-market and post-market
cybersecurity requirements.
Bachelor's Degree in Information Assurance, Information Security,
Management Information Systems, Risk Management, or Computer
Science (Master's Degree a plus) or equivalent field experience.
Relevant technical certificates a plus (OSCP, SANS, GIAC, etc).

5+ years of related work experience with security consulting, product
security, secure software development, risk assessment, and/or
vulnerability management.
Strong interpersonal and documentation skills are a must.
Ability to explain and promote technical concepts.
Strong attention to detail and organization skills.
Excellent verbal and written communication skills and the ability to
partner with a diverse group of executives, managers, and subject
matter authorities.
The ideal candidate will have hands on experience in one or more of
the following areas: Hardware System Integration, Signal and Power
Integrity, RF Systems, Wi-Fi, Bluetooth, Wireless Communications,
TCP/IP, Network and Application Penetration Testing.