Application Security Engineer
One Medical is a primary care solution challenging the industry status quo by making quality care more affordable, accessible and enjoyable. But this isn’t your average doctor’s office. We’re on a mission to transform healthcare, which means improving the experience for everyone involved - from patients and providers to employers and health networks. Our seamless in-office and 24/7 virtual care services, on-site labs, and programs for preventive care, chronic care management, common illnesses and mental health concerns have been delighting people for the past fifteen years.
In February 2023 we marked a milestone when One Medical joined Amazon. Together, we look to deliver exceptional health care to more consumers, employers, care team members, and health networks to achieve better health outcomes. As we continue to grow and seek to impact more lives, we’re building a diverse, driven and empathetic team, while working hard to cultivate an environment where everyone can thrive.
The Product Security team at One Medical consults with and supports our Product team, which has developed a very large code base that comprises a full-featured Electronic Medical Records system called 1Life, as well as patient-facing applications. The Product Security team reviews architecture, design, and code, maintains security-related scanning in the CI/CD pipeline, and serves as expert consultants to engineers and product managers regarding all efforts to keep data safe. Typically, a Product Security Engineer meets with a number of Product teams on a regular cadence and keeps up with their work, intervening as appropriate to guide their security efforts.
The team itself is highly collaborative and is always sharing learning from its own team members, as well as teams that are adjacent to it in the security organization – those neighbor teams are our colleagues in Enterprise Security and Detection and Response. Product Security also interacts with our Technical Compliance group when they are reviewing our compliance with SOX, SOC 2, HIPAA, and other regulatory and compliance frameworks.
What you'll work on:
- Conduct hands-on security testing and code review of internally developed applications
- Analyze security test results, document risks, and recommend mitigating controls
- Conduct Application Security Assessments, Security Architecture Reviews, and Threat Modeling
- Develop new security automation and tooling to improve our detection of application vulnerabilities, and to assist in the remediation of findings
- Provide product security guidance and architecture oversight, design reviews, and security feature roadmap collaboration
- Provide security subject matter expertise to development teams, developing secure coding practices, and develop hands-on training to developers and quality engineers
- Participate in our incident response and vulnerability remediation efforts
- Security research, presentation, security industry collaboration, and participation in hackathons
- 5+ years of application security experience, or 3+ years of application security experience and 2+ years of software development experience
- Experience in leading application security assessments, security architecture reviews, threat modeling, manual code reviews, and security design reviews.
- Extensive experience identifying, testing, and remediating against vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25
- Experience building automation and/or writing scripts to solve security problems
- B.S. / M.S. in Computer Science, Electrical Engineering, or equivalent experience
Nice to Have:
- OSCP, OSWE, GPEN or similar certifications
- Experience working in highly regulated environments subject to compliance requirements such as HIPAA, HITrust, PCI
- Experience with authentication/authorization technologies, like OpenID Connect, JWTs, SAML, and HMACs
- Experience with mobile security reviews and testing
- Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications
- Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them
- Good sense of humor :)
Benefits designed to aid your health and wellness:
- Taking care of you today
- Paid sabbatical after 5 and 10 years
- Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
- Competitive Medical, Dental and Vision plans
- Free One Medical memberships for yourself, your friends and family
- Pre-Tax commuter benefits
- PTO cash outs - Option to cash out up to 40 accrued hours per year
- Protecting your future for you and your family
- 401K match
- Opportunity to participate in company equity programs
- Credit towards emergency childcare
- Extra contributions toward maternity and paternity leave
- Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
- Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance
This is a full-time remote role based anywhere in the United States.
The base salary range for this role is $128,000 to $234,000. However, actual compensation packages are based on several factors that are unique to each candidate. These factors include, but are not limited to, job related knowledge and skill set, depth of experience, certifications and/or degrees, and specific work location. The total compensation package for certain roles may also include additional components such as a sign-on bonus, annual performance bonus, equity grants in the form of RSUs, medical and other benefits and/or other applicable incentive compensation plans.
One Medical is an equal opportunity employer, and we encourage qualified applicants of every background, ability, and life experience to contact us about appropriate employment opportunities.
One Medical participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S. Please refer to the E-Verification Poster (English/Spanish) and Right to Work Poster (English/Spanish) for additional information.