We're in alpha · Starting with US & Canada · Shipping weekly — your feedback shapes RiseMe
RiseMe
LoginSign Up
Fabric Health logo
Fabric Health Verified
Healthtech, Healthcare, Information Technology & Services

Senior Application Security Engineer

00, United StatesRemoteFull Time$130,000–$160,000 /yrPosted 1 day ago

Senior Application Security Engineer

Remote

Infrastructure & Security

Remote

Full-time

About Fabric Health

At Fabric Health, we are powering boundless care by solving healthcare’s biggest challenge: clinical capacity. We aren’t here to disrupt healthcare; we’re here to fix it. We unify the care journey from intake to treatment, using intelligent automation to remove administrative burdens and make care delivery 2-10x more efficient. Our technology empowers clinicians to move faster and focus on what matters most: the patient.

We are a mission-driven team of brilliant minds trusted by leading organizations including Intermountain Health, OSF HealthCare, SSM Health, and MUSC Health. Our vision is backed by premier investors such as Thrive Capital, GV (Google Ventures), General Catalyst, and Salesforce Ventures. We move quickly for good reason, listen deeply to solve big challenges, and build products with the same care and quality we’d want for our own loved ones.

Learn more: About Us | News & Press | LinkedIn | Careers

About the Role

Fabric handles protected health information at scale across 75+ health systems and millions of patient encounters. Security is not a layer we add at the end. It is built into how we work. As a Senior Application Security Engineer, you will own the application security practice at Fabric, partnering directly with engineering to embed security throughout the development lifecycle, build the tooling and automation that keeps our platform secure, and ensure our applications meet the compliance standards our health system customers require. This is a new headcount reporting to the VP of Infrastructure.

What You'll Do

As a Senior Application Security Engineer, you will be the driving force behind application security at Fabric, operating as a partner to engineering rather than a gatekeeper. Your primary responsibilities will include:

  • Secure Development & Code Review: Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications. Conduct security-focused code reviews and provide actionable guidance on secure coding practices.
  • Threat Modeling & Assessment: Lead threat modeling exercises for new features and architectural changes. Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation.
  • DevSecOps & Tooling: Implement and manage SAST and DAST tooling integrated into CI/CD pipelines. Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data.
  • Compliance & Risk: Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements. Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner.
  • Security Education & Culture: Run secure coding training and awareness programs for engineering teams. Serve as the internal subject matter expert on application security and lead response to application-layer security incidents.

Why You Might Be a Good Fit

  • You think like an attacker and build like an engineer. You are as comfortable in a codebase as you are writing a threat model.
  • You understand that in healthcare, a vulnerability is not just a technical problem. It is a patient safety and compliance problem.
  • You prefer building guardrails and education programs over reactive patching.
  • You can communicate security risk to engineering teams in a way that drives action, not defensiveness.
  • You are energized by building a security practice and shaping how a fast-growing company approaches application security.

This Might Not Be The Right Fit If...

  • You are primarily a compliance or GRC-focused security professional and are not comfortable getting into the code.
  • You prefer working in a mature, established security program over building and defining one.
  • You are not comfortable working closely with engineering as a partner rather than an oversight function.
  • You do not have experience in a regulated environment where security decisions carry direct compliance implications.

Your Qualifications

  • 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review.
  • Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar.
  • Experience integrating SAST and DAST tooling into CI/CD pipelines.
  • Deep understanding of the OWASP Top 10 and common application vulnerabilities.
  • Experience with threat modeling methodologies.
  • Familiarity with cloud security in AWS environments.
  • Understanding of HIPAA or other regulated industry security requirements.

Bonus Points

  • Experience securing healthcare applications or working with PHI.
  • Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs.
  • Security certifications such as OSCP, GWEB, or BSCP.
  • Experience with bug bounty program management.
  • SOC 2 or HITRUST audit support experience.

*The national pay range for this role is $130,000.00 – $160,000.00 per year. Actual compensation will be determined by factors such as the candidate's geographic market, experience, skills, and qualifications. Certain roles may also be eligible for additional compensation, including a comprehensive benefits package such as medical, dental, vision, unlimited PTO, and a 401(k) plan, stock options and bonuses. If your compensation requirement is greater than our posted range, please still consider applying; a determination can be made based on unique qualifications. Expected compensation ranges for this role may change over time.*

*At Fabric, we believe that a diverse workforce is essential to our success. We are an equal opportunity employer and are committed to creating an inclusive environment for all employees. We do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, veteran status, or any other legally protected characteristic. We actively encourage individuals from all backgrounds to apply.*

Recruitment Fraud Alert: Protect Yourself

Fabric Health is aware of scammers attempting to impersonate employers. To ensure that any recruiting contact you receive is legitimate, please adhere to the following:

  • Verify the Domain: Official recruitment emails will only come from addresses ending in *@fabrichealth.com* or *@gem.com*. No other domain names are legitimate.
  • Official Interview Tools: We use Gem for our recruitment process and Google Meet for all video interviews. Google Meet is always the platform used for your first interview; you will never be sent a Zoom link to set up or conduct an initial interview. All interviews are conducted via video unless specifically stated by our team as an audio call. We never conduct interviews via chat, social media, Skype, or WhatsApp.
  • Zoom Usage: Zoom is utilized only for specific meetings set directly by our team for purposes outside of the standard interview process (e.g., coordination or onboarding discussions). It is never the first link you will receive from us.
  • Authorized Contact & Texting: Fabric will only contact you if you have submitted an application or if you are connected to a current employee who shared your information with us. We will only send text messages if you have provided explicit authorization and consent, either through your application or while communicating directly with our team. If you have not explicitly authorized us to reach out, treat any SMS or unsolicited outreach as fraudulent and do not respond.
  • Sensitive Data: We will never ask you for sensitive personal or financial documents (ID, banking info, SSN) during the application, interview, or candidacy stages. All sensitive data is handled through secure internal systems post-offer.
  • Verify the Team: You can reference LinkedIn to verify members of our recruiting team; however, please remain vigilant as scammers may create fraudulent profiles. Always cross-reference the sender's email domain with our official @fabrichealth.com address.

If you question the validity of a contact or receive a suspicious message, do not click any links. Report the issue immediately to careers-security@fabrichealth.com.

Please note: The security inbox is for reporting fraudulent activity only. Do not email this address for application status updates or to share application materials, as these will not be reviewed. Applications are only accepted and reviewed if submitted through our official application portal, and no application status information will be provided via the security email.

Ready to apply?

Powered by

First name \*

Last name \*

Email \*

LinkedIn URL \*

Phone number \*

Location \*

Resume \*

Click to upload or drag and drop here

Cover letter

Click to upload or drag and drop here

How did you hear about this job? \*

Select an option

If you selected 'Other,' please specify where you heard about us. If you selected 'Employee Referral,' please provide the referring person's full name.

Which state are you currently based in? \*

Select an option

Are you authorized to work in The United States for any employer? \*

*Applicants must be currently authorized to work in the United States without the need for current or future visa sponsorship.*

Select an option

Do you now or will you in the future require employer-sponsored visa authorization to work in the United States? \*

*This includes but not limited to the following: H-1B, TN, etc., including after the expiration of a student visa's work authorization.*

Select an option

Fabric does not currently offer, and will not provide, H-1B or any other employment-based visa sponsorship, now or in the future. \*

*This includes candidates on F-1 OPT or STEM OPT. Your legal right to work must be* PERMANENTANDUNRESTRICTED*.*

Select an option

By checking this box, you agree to receive text messages from Fabric Health at the mobile number you provide. Message frequency may vary. Message and data rates may apply. Reply STOP to cancel, HELP for help. Consent to receive texts is not a condition of employment or of any application.

View our Privacy Policy

I Acknowledge and Opt-In

Applicant & Candidate Privacy Notice \*

Fabric Applicant & Candidate Privacy Notice

I have read and acknowledge Fabric's Applicant & Candidate Privacy Notice

Describe a vulnerability you identified during a code review or security assessment. How did you triage and prioritize it, how did you communicate it to the engineering team, and how was it resolved? \*

*Please note: Applications with incomplete / blank responses to this question will not be considered.*

What is your expected base salary range? \*

Voluntary Self-Identification

To comply with government reporting requirements, we invite candidates to participate in the self-identification survey below. Your completion of this form is entirely optional, and your decision will neither influence the hiring process nor any subsequent stages. Any information you choose to share will be kept confidential and stored in a secure file. As outlined in our Equal Employment Opportunity policy, we uphold a commitment to non-discrimination based on any protected group status specified in applicable laws.

Gender

Please select

Race

Please select

Race and ethnicity descriptions

Expand

Voluntary Self-Identification of Veteran Status

VEVRAA requires Government contractors to take affirmative action to employ and advance in employment protected veterans. To help us measure the effectiveness of our outreach and recruitment efforts of veterans, we are asking you to tell us if you are a veteran covered by VEVRAA. If you believe that you belong to any of the following categories of protected veterans, please indicate by making the appropriate selection.

Veteran status descriptions

Collapse

Disabled veteran

A veteran who served on active duty in the U.S. military and is entitled to disability compensation (or who but for the receipt of military retired pay would be entitled to disability compensation) under laws administered by the Secretary of Veterans Affairs, or was discharged or released from active duty because of a service-connected disability

Recently separated veteran

A veteran separated during the three-year period beginning on the date of the veteran's discharge or release from active duty in the U.S military, ground, naval, or air service

Active duty wartime or campaign badge veteran

A veteran who served on active duty in the U.S. military during a war, or in a campaign or expedition for which a campaign badge was authorized under the laws administered by the Department of Defense

Armed Forces service medal veteran

A veteran who, while serving on active duty in the U.S. military ground, naval, or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985 (61 Fed. Reg. 1209).

Veteran status

Please select

*By* *applying* *you agree to Gem'sterms* *andprivacy policy**.*

Save your info to apply to other roles faster & help employers reach you.

Apply and save

Apply without saving

Req ID: ENG2607

Ready to apply?
You'll be redirected to Fabric Health's application page.