Senior Security Engineer

United States

Applications have closed

One Medical

One Medical is committed to providing the best primary care through exceptional quality, a world-class experience, and second-to-none technology. Our highly-rated doctors take most insurance plans and are accepting new patients.

View all jobs at One Medical

About Us

One Medical is a primary care solution challenging the industry status quo by making quality care more affordable, accessible and enjoyable. But this isn’t your average doctor’s office. We’re on a mission to transform healthcare, which means improving the experience for everyone involved - from patients and providers to employers and health networks. Our seamless in-office and 24/7 virtual care services, on-site labs, and programs for preventive care, chronic care management, common illnesses and mental health concerns have been delighting people for the past fifteen years.

In February 2023 we marked a milestone when One Medical joined Amazon. Together, we look to deliver exceptional health care to more consumers, employers, care team members, and health networks to achieve better health outcomes. As we continue to grow and seek to impact more lives, we’re building a diverse, driven and empathetic team, while working hard to cultivate an environment where everyone can thrive.

The Opportunity

The Product Security team at One Medical consults with and supports our Product teams, which have developed a very large code base that comprises a full-featured Electronic Medical Records system, as well as patient-facing applications. The Product Security team reviews architecture, design, and code, maintains security-related scanning in the CI/CD pipeline, and serves as expert consultants to engineers, engineering managers, and product managers regarding all efforts to keep patient and corporate data safe.

This role reports to the Manager of Product Security for One Medical, but also works frequently with the Product Security Engineers from Amazon HealthSec. This role will work as a high-level technical liaison between the Product Security team and product builder team technical leadership roles, such as Principal Engineers, Engineering Managers, as well as their leadership.. You will think strategically, not just tactically, and are comfortable with complexity and situations where there is no perfect solution. This role is a partner (not a gatekeeper) for builder teams, and works to raise the security bar through education and counsel. We identify opportunities to improve developer velocity and program efficiency while maintaining our high security and privacy standards. You will help provide technical guidance regarding our CI/CD pipeline (Github, Dependabot, Semgrep, Stackhawk, etc.) as well as Amazon tooling. At One Medical, we expect a Sr Security Engineer to be involved with local and virtual communities with regard to one or more of our stacks: Rails, Node, Go, Python, and others. A Sr Engineer must also have significant hands-on familiarity with at least one of these frameworks and its tooling. Here at One Medical, Security is not a waterfall-style afterthought; it’s baked into our software development processes and represents a “shift-left” style of security collaboration. You’ll be especially adept at providing software developers options, rather than strict requirements for security.

Healthcare Security Engineers act as consultants and partners to Amazon/One Medical Healthcare developers and product owners. We proactively identify and mitigate risks in designs, infrastructure, and code. We develop secure paved paths, perform application security testing, and support our Healthcare engineering partners in all things security. Together, we build services that earn customer trust and raise the bar for the healthcare industry.

The team itself is highly collaborative and is always sharing learning from its own team members, as well as teams that are adjacent to it in the security organization – those neighbor teams are our colleagues in Amazon HealthSec. 

What you'll work on: 

  • Participate in developer team architecture and strategy meetings and discussions; in particular, you are a sounding board and guide for architectural considerations regarding access control and systems integration
  • Conduct Application Security Assessments (ASR)  following the Amazon process. These include tasks such as security architecture reviews, threat modeling, penetration testing, and automated and manual code reviews
  • Analyze security test results, document risks, and recommend mitigating controls
  • Design new security automation and select tooling to improve our detection of application vulnerabilities, and to assist in the remediation of findings
  • Provide security subject matter expertise to the Product Security team itself, as well as to development teams
  • Contribute to our incident response and vulnerability remediation efforts
  • Security research, presentation, security industry collaboration, and participation in hackathons

You’ll need:

  • 4+ years of any combination of the following: threat modeling experience, secure coding, identity management and authentication, software development, cryptography, system administration, and network security experience
  • Proven skills communicating and collaborating with product development engineers and leadership
  • Strong experience in leading application security assessments, security architecture reviews, threat modeling, manual code reviews, and security design reviews
  • Proven track record mentoring and maturing product security engineers
  • Experience with providing security recommendation and guidance in at least two of the following languages/frameworks: Ruby on Rails, Python, GoLang, Javascript, React, Angular, Swift, Kotlin, C, C++
  • Extensive  experience identifying, testing, and remediating  against vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25
  • Experience building automation and/or writing scripts to solve security problems
  • Experience with AWS products and services
  • Experience implementing security solutions at the business division level or equivalent

Not required, but would be great if you also have:

  • OSCP, OSWE, GPEN or similar certifications
  • Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications
  • Experience working in highly regulated environments subject to compliance requirements such as  HIPAA and PCI
  • Experience with authentication/authorization technologies, like OpenID Connect, JWTs, SAML, and HMACs
  • Experience with the security considerations for data pipelines, reporting, ML, and LLMs
  • Experience with mobile security reviews and testing
  • Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them

 

Benefits designed to aid your health and wellness:

Taking care of you today

  • Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
  • Competitive Medical, Dental and Vision plans
  • Free One Medical memberships for yourself, your friends and family
  • Pre-Tax commuter benefits
  • PTO cash outs - Option to cash out up to 40 accrued hours per year

Protecting your future for you and your family

  • 401K match
  • Opportunity to participate in company equity programs
  • Credit towards emergency childcare
  • Company paid maternity and paternity leave
  • Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
  • Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance

 

This is a full-time remote role based in the United States. One Medical is committed to fair and equitable compensation practices. The base salary range for this role is $121,600 to $234,000 Actual compensation packages are based on several factors that are unique to each candidate, including but not limited to skill set, depth of experience, certifications, and specific work location. The total compensation package for this position may also include RSUs, benefits and/or other applicable incentive compensation plans. For more information, visit https://www.onemedical.com/careers/

One Medical is an equal opportunity employer, and we encourage qualified applicants of every background, ability, and life experience to contact us about appropriate employment opportunities.

One Medical participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S.  Please refer to the E-Verification Poster (English/Spanish) and Right to Work Poster (English/Spanish) for additional information.

 

Job stats:  0  0  0

Tags: Application security Automation AWS C CI/CD Compliance Cryptography GitHub Golang GPEN HIPAA Incident response JavaScript Kotlin LLMs Mobile security Network security OpenID OSCP OSWE OWASP Pentesting Privacy Product security Python Ruby SAML SANS Security assessment Strategy Vulnerabilities

Perks/benefits: 401(k) matching Career development Competitive pay Equity / stock options Health care Insurance Medical leave Parental leave Wellness

Region: North America
Country: United States

More jobs like this

Explore more career opportunities

Find even more open roles below ordered by popularity of job title or skills/products/technologies used.