Senior Application Security Engineer

San Francisco, CA

The Opportunity

If you like to break apps and you know what it takes to secure them, then this role is for you! Our Application Security Engineers work alongside the larger technology organization to evaluate the design and implementation of our products, design security solutions and features, and educate our teams on secure coding and emerging threats. Outside of internally developed applications, you’ll also have a hand in evaluating the risk of 3rd party solutions and perform penetration tests where necessary. This position will constantly challenge you to learn new skills and apply yourself in different ways towards our mission of advancing security in the healthcare industry.

In this role, you will be expected to collaborate with individuals from across all different levels and functions with the organization. You will partner with these teams on security issues that are often times have ambiguous solutions, and work to design solutions that align with broader organizational goals.  This will require partnership and persuasion to gain the support and commitment of others while optimizing work processes by identifying opportunities to improve.

What you'll work on:

 

  • Hands on security testing (grey-box) and code review of internally and externally developed applications
  • Provide product security guidance and architecture oversight, design reviews and security feature roadmap collaboration
  • Provide security subject matter expertise to development teams, developing secure coding practices, and develop hands-on training to developers and quality engineers
  • Participate in our incident response and vulnerability remediation efforts
  • Develop new automation and tooling to improve our detection of, and to assist in, the remediation of findings
  • Security research, presentation, and security industry collaboration

You’ll need:

  • 2-3 years of product security experience
  • Experience being in-house security within an organization
  • In-depth experience identifying and protecting against web and mobile application vulnerabilities including those found in the OWASP Top 10 and CWE Top 25
  • Deep knowledge and security experience in at least two of the following languages: Ruby on Rails, Python, Javascript, Angular
  • Solid foundation in the browser security model, crypto, and network security

Nice to Have:

  • B.S. / M.S. in Computer Science, Electrical Engineering, or related experience
  • OSCP or CEH Certifications
  • Real world experience, internal penetration testing and/or vulnerability analysis
  • Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications
  • Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them
  • Good sense of humor

This is a full-time role based in San Francisco, CA.

One Medical is an equal opportunity employer and encourages all applicants from every background and life experience.