Sr. Application Security Engineer

About The Position

Requirements

• 10+ years of experience in software engineering, application security, or a combination of both.
• A strong software engineering foundation — you've written production code and understand how applications are built, not just how they break.
• Meaningful experience in application security, whether that came from transitioning out of a development role or through dedicated AppSec positions.
• Hands-on experience with common vulnerability classes (OWASP Top 10, injection attacks, authentication flaws, insecure deserialization, etc.) and how to fix them.
• Experience conducting or coordinating threat modeling, security architecture reviews, and secure code reviews.
• Proficiency in one or more modern programming languages (Python, Go, Java, TypeScript, etc.) — enough to read, understand, and critique production code.
• Familiarity with cloud security (AWS, GCP, or Azure) and container/Kubernetes security practices.
• Experience integrating security tooling into CI/CD pipelines (GitHub Actions, Jenkins, etc.).
• Working knowledge of authentication and authorization standards (OAuth 2.0, OIDC, SAML, RBAC).
• Familiarity with API security, including REST and GraphQL attack surfaces.
• You can communicate complex security concepts clearly to engineers and non-technical stakeholders alike.
• You default to collaboration over confrontation — you know that security only works when developers are on your side.
• You're comfortable with ambiguity and can prioritize effectively in a fast-moving environment.
• You care about the mission — the systems you're protecting store and transmit sensitive patient data, and that responsibility motivates you.

Nice To Haves

• Experience in a healthcare or health-tech environment.
• Familiarity with HIPAA Security Rule requirements and how they translate to engineering controls.
• Exposure to compliance frameworks such as SOC 2 Type II, HITRUST, or FedRAMP.
• Experience building or maturing a security program at a startup or high-growth company.
• Relevant certifications (OSCP, CSSLP, GWEB, CEH, or similar) — valued but not required.

Responsibilities

• Own and evolve our application security program, including threat modeling, secure code review, SAST/DAST tooling, and penetration testing coordination.
• Partner closely with engineering squads throughout the SDLC to identify and remediate vulnerabilities early — acting as a security champion, not a gatekeeper.
• Lead security design reviews for new features and architecture changes, ensuring security requirements are well-understood and actionable.
• Develop and maintain a vulnerability management program, prioritizing findings based on risk and driving remediation to closure.
• Build and deliver security training and awareness programs tailored to developers — leveraging your engineering background to make guidance practical and relevant.
• Evaluate and implement security tooling across the CI/CD pipeline (SAST, SCA, secret scanning, container scanning, etc.).
• Support third-party penetration tests and bug bounty programs, including triage, validation, and remediation tracking.
• Contribute to compliance efforts related to HIPAA, SOC 2, and other relevant frameworks, particularly as they relate to application and data security.
• Monitor the threat landscape and proactively surface emerging risks relevant to our technology stack and industry.
• Develop applications that run securely in cloud and containerized environments.

Benefits

• Flexible paid time off (PTO)
• Expansive coverage for health, dental, and vision
• Employer contribution to Health Savings Accounts (HSA)
• Generous parental leave policy
• Full employee coverage for life insurance
• Home office stipend
• Cell phone/internet reimbursement
• Company-paid holidays
• 401(K) plan