Application Security Engineer

Responsibilities

• Perform secure code reviews, threat modeling, and security design reviews for new features and services.
• Use AI to automate tooling like SAST, DAST, SCA, secret scanning, and container scanning tools across our CI/CD pipelines.
• Use AI to triage and validate vulnerability findings from automated tools, penetration tests, and bug bounty submissions. Track remediation to closure.
• Work directly with engineering squads to fix security issues, helping developers understand the “why” and the fix.
• Support third-party penetration tests: scoping, coordination, triage, and follow-through on results.
• Contribute to developer security guides and training grounded in our actual codebase and stack.
• Help maintain and improve our vulnerability management workflows and tracking using AI.
• Support compliance work related to HIPAA and SOC 2 where it touches application and data security.
• Stay current on the threat landscape and flag emerging risks relevant to our technology and industry.

Requirements

Must-haves

• 5+ years of experience in application security. Technical Skills
• Written production code and can read, review, and critique code in at least one modern language (Python, Go, Java, TypeScript, etc.).
• Solid working knowledge of common vulnerability classes (OWASP Top 10, injection attacks, auth flaws, insecure deserialization, etc.) and how to fix them.
• Hands-on experience with threat modeling and secure code review against real systems.
• Experience working with security tooling in CI/CD pipelines (SAST, SCA, secret scanning, GitHub Actions, etc.).
• Familiarity with cloud environments (AWS) and container/Kubernetes basics from a security angle.
• Working understanding of auth standards (OAuth 2.0, OIDC, SAML) and API security concepts (REST, GraphQL).

How You Work

• Collaborative, prefer helping developers fix issues directly.
• Communicate clearly to engineers and product managers.
• Organized to juggle multiple findings across teams.
• Comfortable with ambiguity in fast-moving environment.
• Care about mission protecting patient data.

Nice-to-haves

• Experience in healthcare or health-tech; familiarity with HIPAA Security Rule requirements.
• Exposure to compliance frameworks like SOC 2 Type II, HIPAA, or HITRUST.
• Experience at a company where you’ve worn multiple hats.
• Relevant certifications (OSCP, CSSLP, CEH).

Compensation

• Salary range: $205,000-$275,000 + Equity.
• Flexible PTO, health/dental/vision coverage, HSA contributions, parental leave, life insurance, home office stipend, cell/internet reimbursement, 401(k).