Application Security Engineer

United States

About Us

One Medical is a primary care platform challenging the industry status quo by making quality care more affordable, accessible and enjoyable. But this isn’t your average doctor’s office. We’re on a mission to radically transform healthcare, which means tackling the frustrations of everyone involved — from patients and providers to employers and health networks. 

Across the country, our members enjoy seamless access to comprehensive care at more than 90 locations across thirteen cities (and counting!) as well as 24/7 access to virtual care powered by intelligent uses of technology. In addition to a direct-to-consumer membership model, we work with more than 7,000 companies to provide One Medical health benefits to their employees.

On January 31, 2020 we marked a milestone with our public listing on Nasdaq, but our work is far from over. As we continue to grow and broaden our impact, we’re building a diverse, driven and empathetic team, while working hard to cultivate an environment where everyone can thrive.

The Opportunity

If you like to break apps and you know what it takes to secure them, then this role is for you! Our Application Security Engineers work alongside the larger technology organization to evaluate the design and implementation of our products, design security solutions and features, and educate our teams on secure coding and emerging threats. Outside of internally developed applications, you’ll also have a hand in evaluating the risk of 3rd party solutions and perform penetration tests where necessary. This position will constantly challenge you to learn new skills and apply yourself in different ways towards our mission of advancing security in the healthcare industry.

In this role, you will be tasked with providing security guidance and recommendations to the rest of the technology team. You will rely on your experience and judgement as well as your ability to find data from a wide variety of sources to solve complex problems. Solving these problems will require the ability to make risk-based decisions after developing a clear understanding of security goals and the goals of the technology team as a whole. You will be expected to consistently follow through on your commitments and have the ability to admit mistakes and gain insight from experiences when things go wrong. 

As a member of the One Medical Security team you will be joining a team of highly technical people focusing on having a meaningful impact on the company and the greater healthcare industry. We operate with a ‘team first’ mentality focusing on collaboration to move the security needle forward. Our drive for team success is tied closely with our commitment to personal growth; every team member is empowered to pursue research and contribute to projects that are not strictly defined by their role.

What you'll work on:


  • Hands on security testing (grey-box) and code review of internally and externally developed applications
  • Develop new automation and tooling to improve our detection of, and to assist in, the remediation of findings
  • Provide product security guidance and architecture oversight, design reviews and security feature roadmap collaboration
  • Provide security subject matter expertise to development teams, developing secure coding practices, and develop hands-on training to developers and quality engineers
  • Participate in our incident response and vulnerability remediation efforts
  • Security research, presentation, and security industry collaboration

You’ll need:

  • 1+ years of product/application security experience
  • Experience providing security recommendations to developers including design/code reviews and threat modeling  
  • Familiarity with providing security recommendation and guidance in at least two of the following languages: Ruby on Rails, Python, Javascript, Angular
  • An understanding of the fundamentals of identifying and protecting against web and mobile application vulnerabilities including those found in the OWASP Top 10 and CWE Top 25
  • Experience building automation and/or writing scripts to solve security problems 
  • Working knowledge of the browser security model, cryptography, and network security
  • B.S. / M.S. in Computer Science, Electrical Engineering, or equivalent experience

Nice to Have:

  • OSCP or CEH Certifications
  • Real world experience, performing internal penetration testing or as an engineer on a software development team
  • A working understanding of the fundamentals of security in a cloud-based environment
  • Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them
  • Good sense of humor

Benefits designed to aid your health and wellness:

Taking care of you today

  • Paid sabbatical after 5 and 10 years
  • Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
  • Competitive Medical, Dental and Vision plans
  • Free One Medical memberships for yourself, your friends and family
  • Pre-Tax commuter benefits
  • PTO cash outs - Option to cash out up to 40 accrued hours per year

Protecting your future for you and your family

  • 401K match
  • Opportunity to participate in company equity programs
  • Credit towards emergency childcare
  • Company paid maternity and paternity leave
  • Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
  • Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance



One Medical is an equal opportunity employer, and we encourage qualified applicants of every background, ability, and life experience to contact us about appropriate employment opportunities.