Application Security Engineer III

At KARL STORZ, we are driven by innovation and a commitment to improving patient outcomes through cutting-edge medical technology. As a global leader in endoscopy and medical imaging, we offer an environment where collaboration, technical excellence, and continuous learning are highly valued. Join a team where your cybersecurity expertise will directly contribute to the development of secure, compliant, and life-changing healthcare technologies.

The Application Security Engineer III serves as the technical lead for cybersecurity compliance and secure product development initiatives, with primary responsibility for achieving and maintaining Department of Defense (DoD) Authorization to Operate (ATO) certifications under the Risk Management Framework (RMF). This role partners closely with Software Engineering, Systems Engineering, Quality, Regulatory, and Product Management teams to ensure products meet cybersecurity requirements throughout the development lifecycle.

• Lead and maintain DoD Authorization to Operate (ATO) certifications.

• Serve as the primary cybersecurity contact for DoD-related projects.

• Manage RMF compliance activities, including STIG and SCAP scanning, POA&M management, and risk mitigation planning.

• Author and maintain cybersecurity documentation, risk analyses, and compliance reports.

• Support certification audits, renewals, and customer-facing cybersecurity reviews.

• Verify cybersecurity requirements through testing, documentation, and validation activities.

• Partner with engineering teams to implement secure development practices.

• Support threat modeling, vulnerability management, and security testing throughout the SDLC.

• Participate in product security reviews and provide risk mitigation recommendations.

• Design and maintain DevSecOps pipelines with automated security testing and vulnerability scanning.

• Support secure CI/CD practices and compliance monitoring.

• Establish and maintain cybersecurity lab environments and test infrastructure.

• Collaborate with R&D, Quality, Regulatory, IT, Operations, and Product Management teams.

• Communicate cybersecurity risks, requirements, and recommendations to technical and non-technical stakeholders.

• Participate in customer meetings, technical reviews, and occasional on-site visits.

• Bachelor's degree in Computer Science, Cybersecurity, Information Systems, or a related technical field.

• 5+ years of cybersecurity experience (4+ years with a Master's degree).

• Experience supporting application, product, or embedded cybersecurity in regulated industries such as medical devices, defense, or aerospace.

• Hands-on experience with DoD RMF, STIGs, SCAP tools, and POA&M management.

• Knowledge of NIST frameworks, including NIST 800-53 and NIST 800-171.

• Experience with secure software development, vulnerability management, risk assessment, and DevSecOps practices.

• Experience with Windows and Linux hardening, network security, and system compliance validation.

• Strong communication, analytical, organizational, and problem-solving skills.

• Experience obtaining or maintaining DoD ATO certifications.

• Knowledge of FDA cybersecurity guidance and medical device security standards.

• Certifications such as CISSP, Security+, CEH, or GSEC.

• Experience with cloud security, container security, and automated testing frameworks.

• Experience working in Linux, Windows Server, virtualized environments, and network security architectures.

• Master's degree in a related technical discipline.

• Travel: Up to 10%

• Physical Requirements: Ability to sit for extended periods and lift equipment up to 20 pounds occasionally.

• Work Environment: Fast-paced, collaborative environment supporting highly regulated medical technology products.