Lead Penetration Tester

Get Referred

Job Description

The Product Security and Services team within Johnson & Johnson’s Information Security & Risk Management (ISRM) is recruiting for a Lead Penetration Tester responsible for supporting the Enterprise Penetration Testing program. In this position, the preferred location is Fort Washington, PA or Raritan, NJ.

Caring for the world, one person at a time has inspired and united the people of Johnson & Johnson for over 125 years. We embrace research and science -- bringing innovative ideas, products and services to advance the health and well-being of people. Employees of the Johnson & Johnson Family of Companies work with partners in health care to touch the lives of over a billion people every day, throughout the world.

The Lead Penetration Tester will join the Johnson & Johnson Product Security and Services team, whose overall mission is to ensure enterprise systems and marketed products of the Johnson & Johnson Family of Companies are built on Cybersecurity best practices and Cybersecurity Risks are properly managed.

The main responsibility of this role is to help ensure software, hardware, and related components supporting systems and products of the J&J Family of Companies are protected from cyber-attacks. In this role, you will be a part of a growing team, and will be contributing to the development of the penetration testing security services and practices for Johnson & Johnson. Your responsibilities will include penetration testing, overseeing 3rd party partners, identifying and communicating key strategies and goals, partnering with internal organizations on process and policy enhancements, identifying communications plans and raising overall awareness of the cybersecurity of platforms and capabilities. This is essential for patient safety and confidence in Johnson & Johnson products and for security of the Johnson & Johnson enterprise systems.

  • Identify and drive Pen testing services strategy and goals
  • Partner with internal organizations to enhance existing processes and policies
  • Define, create and present metrics to management
  • Partner with external organizations and industry groups to represent Johnson & Johnson
  • Provide security architecture guidance / review for enterprise systems and products
  • Assist in investigations of J&J security incidents by providing a technical evaluation / recreation of the compromise
  • Oversee 3rd party product penetration tests and perform internal product penetration tests as needed
  • Conduct technical research on new vulnerabilities / exploits / methods and help determine overall risk to products
  • Provide periodic training opportunities to Product Security Managers on technical security topics related to attack / defense of products
  • Evaluate or develop new tools / methods to assist in penetration testing.
  • Conduct penetration tests individually and/or as part of the team and create reports.

  • A Bachelor’s degree is preferred or equivalent experience preferably in computer science, risk management, security, or a related area.
  • A minimum of five (5) years of information security applications and systems experience is required
  • Professional experience with Web Application and API penetration testing is required
  • A working knowledge of one or more programming languages like: PHP, Java Script, Perl, Python, ruby, bash, including understanding and editing existing code is required
  • Experience with mobile (IOS / Android) penetration testing is preferred
  • Advanced working knowledge of at least one of the following operating systems Windows, Linux, MacOS
  • Knowledge of one or more database management systems such as MySQL, SQL Server, PostgreSQL, and Oracle is preferred
  • CISSP and at least one offensive security certification is desired
  • One or more of the following certifications are desired CSSLP, CISM, GMOB
  • Highly effective internal and external communicator with exceptional oral, written and presentation skills is required
  • Willingness and the ability to learn in a dynamic environment is required
  • A real passion for, and knowledge of, leading and new technologies is required
  • An understanding of Software as a Medical Device, embedded system security, application security mechanisms, such as authentication and authorization techniques, data validation, and the proper use of encryption is preferred
  • Knowledge of OWASP Top 10, CVSS, and CVE is required
  • Experience with Bug bounty program management is desired.
  • Proven analytical and problem-solving skills, as well as the desire to assist others in solving issues is required
  • Highly motivated with the willingness to take ownership / responsibility for their work as well as the ability to work alone or as part of a team is required
  • This position may sit in Raritan, NJ or Fort Washington, PA and will require up to 20% travel

Johnson & Johnson is an Affirmative Action and Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, or protected veteran status and will not be discriminated against on the basis of disability.


Primary Location
United States-New Jersey-New Brunswick-
Other Locations
North America-United States-Pennsylvania-Fort Washington, North America-United States-New Jersey-Raritan
Johnson & Johnson Services Inc. (6090)
Job Function
Information Security
Requisition ID