Senior Application Security Engineer

### Who you are
- 10+ years of experience in software engineering, application security, or a combination of both
- A strong software engineering foundation — you've written production code and understand how applications are built, not just how they break
- Meaningful experience in application security, whether that came from transitioning out of a development role or through dedicated AppSec positions
- Hands-on experience with common vulnerability classes (OWASP Top 10, injection attacks, authentication flaws, insecure deserialization, etc.) and how to fix them
- Experience conducting or coordinating threat modeling, security architecture reviews, and secure code reviews
- Proficiency in one or more modern programming languages (Python, Go, Java, TypeScript, etc.) — enough to read, understand, and critique production code
- Familiarity with cloud security (AWS, GCP, or Azure) and container/Kubernetes security practices
- Experience integrating security tooling into CI/CD pipelines (GitHub Actions, Jenkins, etc.)
- Working knowledge of authentication and authorization standards (OAuth 2.0, OIDC, SAML, RBAC)
- Familiarity with API security, including REST and GraphQL attack surfaces
- You can communicate complex security concepts clearly to engineers and non-technical stakeholders alike
- You default to collaboration over confrontation — you know that security only works when developers are on your side
- You're comfortable with ambiguity and can prioritize effectively in a fast-moving environment
- You care about the mission — the systems you're protecting store and transmit sensitive patient data, and that responsibility motivates you
- Experience in a healthcare or health-tech environment
- Familiarity with HIPAA Security Rule requirements and how they translate to engineering controls
- Exposure to compliance frameworks such as SOC 2 Type II, HITRUST, or FedRAMP
- Experience building or maturing a security program at a startup or high-growth company
- Relevant certifications (OSCP, CSSLP, GWEB, CEH, or similar) — valued but not required

### What the job involves
- We're looking for a seasoned Application Security Engineer who brings the credibility of a software engineering background and the mindset of a security practitioner
- You'll be embedded with our engineering teams, helping us build secure systems from the ground up — not bolted on after the fact
- You'll own our application security program, work closely with developers, and be a key voice in shaping how we think about risk across our product and infrastructure
- Own and evolve our application security program, including threat modeling, secure code review, SAST/DAST tooling, and penetration testing coordination
- Partner closely with engineering squads throughout the SDLC to identify and remediate vulnerabilities early — acting as a security champion, not a gatekeeper
- Lead security design reviews for new features and architecture changes, ensuring security requirements are well-understood and actionable
- Develop and maintain a vulnerability management program, prioritizing findings based on risk and driving remediation to closure
- Build and deliver security training and awareness programs tailored to developers — leveraging your engineering background to make guidance practical and relevant
- Evaluate and implement security tooling across the CI/CD pipeline (SAST, SCA, secret scanning, container scanning, etc.)
- Support third-party penetration tests and bug bounty programs, including triage, validation, and remediation tracking
- Contribute to compliance efforts related to HIPAA, SOC 2, and other relevant frameworks, particularly as they relate to application and data security
- Monitor the threat landscape and proactively surface emerging risks relevant to our technology stack and industry
- Develop applications that run securely in cloud and containerized environments

### Benefits
- Unlimited paid time off (PTO)
- Expansive coverage for health, dental, and vision
- Employer contribution to Health Savings Accounts (HSA)
- Generous parent leave policy
- Full employee coverage for life insurance
- Company-paid holidays
- 401(K) plan