Senior Application Security Engineer

About the Role

What You'll Do

• Secure Development & Code Review: Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications. Conduct security-focused code reviews and provide actionable guidance on secure coding practices.                                                      
• Threat Modeling & Assessment: Lead threat modeling exercises for new features and architectural changes. Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation.
• DevSecOps & Tooling: Implement and manage SAST and DAST tooling integrated into CI/CD pipelines. Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data.
• Compliance & Risk: Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements. Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner.
• Security Education & Culture: Run secure coding training and awareness programs for engineering teams. Serve as the internal subject matter expert on application security and lead response to application-layer security incidents.

Why You Might Be a Good Fit

• You think like an attacker and build like an engineer. You are as comfortable in a codebase as you are writing a threat model.
• You understand that in healthcare, a vulnerability is not just a technical problem. It is a patient safety and compliance problem.                                  
• You prefer building guardrails and education programs over reactive patching.
• You can communicate security risk to engineering teams in a way that drives action, not defensiveness.
• You are energized by building a security practice and shaping how a fast-growing company approaches application security.

This Might Not Be The Right Fit If...

• You are primarily a compliance or GRC-focused security professional and are not comfortable getting into the code.
• You prefer working in a mature, established security program over building and defining one. 
• You are not comfortable working closely with engineering as a partner rather than an oversight function.
• You do not have experience in a regulated environment where security decisions carry direct compliance implications.

Your Qualifications

• 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review.                       
• Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar.
• Experience integrating SAST and DAST tooling into CI/CD pipelines.
• Deep understanding of the OWASP Top 10 and common application vulnerabilities.
• Experience with threat modeling methodologies.
• Familiarity with cloud security in AWS environments.
• Understanding of HIPAA or other regulated industry security requirements.

Bonus Points

• Experience securing healthcare applications or working with PHI.
• Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs.
• Security certifications such as OSCP, GWEB, or BSCP. 
• Experience with bug bounty program management.
• SOC 2 or HITRUST audit support experience.

The national pay range for this role is $130,000.00 – $160,000.00 per year. Actual compensation will be determined by factors such as the candidate's geographic market, experience, skills, and qualifications. Certain roles may also be eligible for additional compensation, including a comprehensive benefits package such as medical, dental, vision, unlimited PTO, and a 401(k) plan, stock options and bonuses. If your compensation requirement is greater than our posted range, please still consider applying; a determination can be made based on unique qualifications. Expected compensation ranges for this role may change over time.