Senior Application Security Engineer

We all depend on healthcare throughout our lifetimes, for ourselves, and our families and friends, but it is notoriously difficult to navigate and understand. As an industry that comprises 20% of the US economy we think healthcare should work better for all of us. At Collective Health we believe it’s time for a new day in healthcare where as members we are informed and empowered to make the right care choices when the decisions are urgent and critical.

Driven by our mission to make it easier to understand, navigate, and pay for healthcare, Collective Health is evolving the way health benefits work. If you are passionate about our mission and you are an experienced hands-on product and application security professional who is excited about developing and leading a broad range of functions at a mission-driven, highly-regulated technology company, this role is for you.

What you'll do:

• Build relationships across all parts of the business and drive multi-functional initiatives to continuously improve security and privacy posture environment
• Focus on security architecture, design and engineering subject areas while being able to layout product security maturity, identify program and tool gaps and recommend solutions
• Lead annual penetration testing along with socializing gap results, and working with stakeholders to remediate the gaps within a reasonable timeframe
• Build positive relationships with Engineering, Product, Risk and customer facing teams is a core tenant of the role and the team
• Architect, build and drive implementations of DAST/SAST/SCA/WAF/RASP/IAST solutions in an enterprise environment
• Perform code audits on internal and open source libraries for inclusion in our products and/or for employee consumption
• Perform Application threat modeling exercises and attack simulation exercises both in the context of internal assessments and while assisting 3rd party application penetration testing/gray box testing
• Provide detailed explanations of the security issues found and ensure that those responsible for fixing them have a firm grasp of the fixes that needs to be implemented
• Design and implement enhancements to our Continuous Integration and Continuous Deployment (CI/CD) pipeline/s to include security controls and appropriate guardrails to help build secure code and scale security processes
• Perform, and assist other team members, in application penetration testing and able to effectively translate the technical requirements and findings to appropriate user groups and partners
• Be responsible for and collaborate with team members, understand their processes and workflows, prioritize their ideas and innovations and develop improvements to ensure successful execution
• Provide technical leadership and mentorship on security topics to both security and non-security user groups

To be successful in this role, you'll need:

• 5-8+ years of experience in a relevant role
• Strong experience with architecting and/or operating application security tooling such as DAST/SAST/SCA/WAF/RASP/IAST in an enterprise environment
• Strong experience with socializing and building partnership on security programs and user expectations
• Strong experience with training and mentoring the entire company on security practices and other awareness related exercises such as phishing
• Strong experience in dealing with incident response
• Moderate hands-on experience conducting web application security reviews, application and network-based penetration testing, and threat modeling
• Moderate to basic experience in leading technical security specialists in the augmentation of Continuous Integration (CI) pipeline to include security testing; collaborate with partners on overall CI/CD vision and implementation strategy
• Moderate to basic experience with common attack scenarios in various common layers within our infrastructure (cloud-based issues, code quality, insider threat, etc.,)
• Basic programming in one or more of the following languages: Python, JS, Go, ROR or Java
• Basic experience working with Cloud hosting platform (AWS, GCP, DO, AZURE)

This job can be performed in a location where we currently have an office: San Mateo, CA, Chicago, IL, or Lehi, UT, or remotely from the following states: CA, CO, CT, FL, GA, IL, MA, MI, MN, NJ, NY, NC, OH, OR, TX, UT, or WA.

Pay Transparency Statement

In accordance with Colorado’s Equal Pay for Equal Work Act and New York City’s Int. 1208-2018, the estimated salary range for this role if hired in Colorado is $128,400-$196,800, and for New York City is $174,000-$228,900. Compensation will depend on multiple factors, including geographic location, qualifications, skills, competencies and experience.

Please note that this information is provided for those hired in Colorado or New York City only, and this role is open to candidates outside of those locations as well.

In addition to base salary, this position is eligible for stock options and benefits. Learn more about our benefits at https://jobs.collectivehealth.com/#benefits.

About Collective Health

Founded in 2013, Collective Health has created an ecosystem of innovative partners across care and benefits delivery, as well as built a powerful and flexible infrastructure to better enable employees and their families to understand, navigate, and pay for healthcare. By reducing the administrative lift of delivering health benefits, providing an intuitive member experience, and improving health outcomes, the company guides employees toward healthier lives and companies toward healthier bottom lines. Collective Health is headquartered in San Mateo, CA with locations in Chicago, IL, and Lehi, UT. For more information, please visit collectivehealth.com.

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. Collective Health is committed to providing support to candidates who require reasonable accommodation during the interview process. If you need assistance, please contact [email protected].