Own and evolve our application security program, including threat modeling, secure code review, SAST/DAST tooling, and penetration testing coordination.
Partner closely with engineering squads throughout the SDLC to identify and remediate vulnerabilities early — acting as a security champion, not a gatekeeper.
Lead security design reviews for new features and architecture changes, ensuring security requirements are well-understood and actionable.
Develop and maintain a vulnerability management program, prioritizing findings based on risk and driving remediation to closure.
Build and deliver security training and awareness programs tailored to developers — leveraging your engineering background to make guidance practical and relevant.
Evaluate and implement security tooling across the CI/CD pipeline (SAST, SCA, secret scanning, container scanning, etc.).
Support third-party penetration tests and bug bounty programs, including triage, validation, and remediation tracking.
Contribute to compliance efforts related to HIPAA, SOC 2, and other relevant frameworks, particularly as they relate to application and data security.
Monitor the threat landscape and proactively surface emerging risks relevant to our technology stack and industry.
Develop applications that run securely in cloud and containerized environments.

Requirements

10+ years of experience in software engineering, application security, or a combination of both.
A strong software engineering foundation — you've written production code and understand how applications are built, not just how they break.
Meaningful experience in application security, whether that came from transitioning out of a development role or through dedicated AppSec positions.
Hands-on experience with common vulnerability classes (OWASP Top 10, injection attacks, authentication flaws, insecure deserialization, etc.) and how to fix them.
Experience conducting or coordinating threat modeling, security architecture reviews, and secure code reviews.
Proficiency in one or more modern programming languages (Python, Go, Java, TypeScript, etc.) — enough to read, understand, and critique production code.
Familiarity with cloud security (AWS, GCP, or Azure) and container/Kubernetes security practices.
Experience integrating security tooling into CI/CD pipelines (GitHub Actions, Jenkins, etc.).
Working knowledge of authentication and authorization standards (OAuth 2.0, OIDC, SAML, RBAC).
Familiarity with API security, including REST and GraphQL attack surfaces.
You can communicate complex security concepts clearly to engineers and non-technical stakeholders alike.
You default to collaboration over confrontation — you know that security only works when developers are on your side.
You're comfortable with ambiguity and can prioritize effectively in a fast-moving environment.
You care about the mission — the systems you're protecting store and transmit sensitive patient data, and that responsibility motivates you.

Benefits

Flexible paid time off (PTO)
Expansive coverage for health, dental, and vision
Employer contribution to Health Savings Accounts (HSA)
Generous parental leave policy
Full employee coverage for life insurance
Home office stipend
Cell phone/internet reimbursement
Company-paid holidays
401(K) plan

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

application securitythreat modelingsecure code reviewSASTDASTpenetration testingvulnerability managementcloud securityAPI securityprogramming languages

Soft Skills

communicationcollaborationprioritizationleadershiptrainingproblem-solvingadaptabilityrisk assessmentmentoringstakeholder engagement

Certifications

HIPAA complianceSOC 2 compliance