Principal Application Security Engineer

Join us as we work to create a thriving ecosystem that delivers accessible, high-quality, and sustainable healthcare for all.

athenahealth is changing the way the healthcare industry works. With our best in breed suite of cloud software products, we've taken healthcare into the modern age empowering medical care providers to get back to what they do best-- treating patients. athena's culture is idealistic, entrepreneurial, and extremely fast paced; a sharp contrast to the culture typically found in medical offices or healthcare service companies. We aspire to be a diverse team of change agents driven by an entrepreneurial spirit, a passion for excellence and a desire to make the administrative processes in healthcare delivery run much better.
 

Help make health information more secure! Information Security department at athenahealth is looking for a Principal Application Security Engineer to help increase the security capabilities of our teams.  Join a collaborative group that solves new and interesting application security problems at scale. With over 100 million patient records, athenahealth faces unique challenges that can only be solved by curious and driven people. Use your security, engineering, and communication skills to make a difference with the company that allows medical professionals to focus on what they do best - treat patients.

Position Summary:

As a Principal Security Engineer, you will work closely with scrum teams, product managers, and engineering leadership to improve the quality and adoption of athena’s Secure Deverlopment Lpractices. This will include but is not restricted to automated testing via static and dynamic code analysis tools; threat modeling exercises; architecture review; and training in secure coding techniques. The primary goal is to prevent vulnerabilities from being introduced into the product features during the development lifecycle. Your skills will be relied on to provide platform and product teams with security expertise to increasingly secure our products via coaching, consulting and guidance.

Responsibilities may include, but are not limited to:

• Drive execution of key security best practices across the R&D organization. Explain and ensure correct use of security concepts such as authentication and authorization concepts, correct use of secrets and data storage methods.
• Lead prioritization of code review and security testing tools findings prioritization
• Contribute to enterprise security catalog of best practices, techniques and patterns to enable secure implementation of features in products/product families
• Instruct R&D engineers on latest security risks to build a growing awareness that can be used during the design and architectural phase
• Identify and explain feature level design or architectural weaknesses which could result in security issues
• Work with key stakeholders including enterprise security leadership to track open issues and follow up to resolution
• Experience working with datasets and data warehouses to collect, report and present operational data related to security vulnerabilities remediation and exception handling 
• Work with key stakeholders like DevOps, infrastructure teams, et al to build security hardened tech stacks that are used to develop, build and release code
• Document, share and help automate coverage for common abuse cases and attack personas.

Education, Experience, and Skills Required:

• Bachelor's degree in Computer Science, Computer Engineering, Cyber Security or equivalent experience
• At least 10 years experience as a software developer and 2-4 years in a security-focused development role in an agile development environment
• Experience in software and product design, product security, security issue prevention and mitigation strategies
• Experience in understanding and resolving security issues, preferably in a healthcare context
• Strong knowledge of programming languages - Java, JavaScript (NodeJS), Perl, Python, Groovy etc
• Knowledge of key security technologies like OAuth, SAML, etc.
• Understanding of the web services domain including RESTful services, Service Bus architectures, JSON etc
• Experience with Static and Dynamic Code Analysis tools like Zap, VeraCode, Checkmarx, AppSpider, HP Fortify, HP WebInspect, IBM AppScan and other tools
• 2-5 years of experience working with OWASP, SANS Standards or OSSTMM and experience with Commercial Off The Shelf (COTS) security products in DevOps environment

Preferred Qualifications:

• Current knowledge of HIPAA, HITRUST, PCI-DSS requirements
• Experience analyzing software features, systems and infrastructure to build threat models
• 2-5 years of experience of assessing threats, risk, and vulnerabilities, while working with internal/external pen testing teams
• Familiarity with coaching security thinking for teams’ agile definition of done
• Experience with working with private and public cloud technologies including AWS, Azure, etc
• Experience driving the adoption of Security Standards in a large engineering organization
• Experience in measuring and metrics for a secure development lifecycle program including BSIMM, OpenSAMM, SAFECode

Behaviors & Abilities Required:

• Ability to define and execute work independently
• Capability to lead or contribute to teams as necessary
• Exercise influence without authority
• Initiative to continuously learn about security and systems
• Being plugged into the evolving threat landscape
• Staying current on latest attack vectors
• Desire to have fun and grow professionally at work

 
athenahealth is committed to a policy of equal employment opportunity. We recruit and hire applicants without regard to race, color, religion, sex (including pregnancy), national origin, disability, age, sexual orientation, veteran status, genetic information, gender identity, gender expression, or any other factor prohibited by law.

About athenahealth

Here’s our vision: To create a thriving ecosystem that delivers accessible, high-quality, and sustainable healthcare for all.  

What’s unique about our locations? 
From an historic, 19th century arsenal to a converted, landmark power plant, all of athenahealth’s offices were carefully chosen to represent our innovative spirit and promote the most positive and productive work environment for our teams. Our 10 offices across the United States and India — plus numerous remote employees — all work to modernize the healthcare experience, together. 
 
Our company culture might be our best feature. 
We don't take ourselves too seriously. But our work? That’s another story. athenahealth develops and implements products and services that support US healthcare: It’s our chance to create healthier futures for ourselves, for our family and friends, for everyone.  

Our vibrant and talented employees — or athenistas, as we call ourselves — spark the innovation and passion needed to accomplish our goal. We continue to expand our workforce with amazing people who bring diverse backgrounds, experiences, and perspectives at every level, and foster an environment where every athenista feels comfortable bringing their best selves to work. 

Our size makes a difference, too: We are small enough that your individual contributions will stand out — but large enough to grow your career with our resources and established business stability. 
 
Giving back is integral to our culture. Our athenaGives platform strives to support food security, expand access to high-quality healthcare for all, and support STEM education to develop providers and technologists who will provide access to high-quality healthcare for all in the future. As part of the evolution of athenahealth’s Corporate Social Responsibility (CSR) program, we’ve selected nonprofit partners that align with our purpose and let us foster long-term partnerships for charitable giving, employee volunteerism, insight sharing, collaboration, and cross-team engagement.   

What can we do for you? 
Along with health and financial benefits, athenistas enjoy perks specific to each location, including commuter support, employee assistance programs, tuition assistance, employee resource groups, and collaborative workspaces — some offices even welcome dogs.  

In addition to our traditional benefits and perks, we sponsor events throughout the year, including book clubs, external speakers, and hackathons. And we provide athenistas with a company culture based on learning, the support of an engaged team, and an inclusive environment where all employees are valued.  

We also encourage a better work-life balance for athenistas with our flexibility. While we know in-office collaboration is critical to our vision, we recognize that not all work needs to be done within an office environment, full-time. With consistent communication and digital collaboration tools, athenahealth enables employees to find a balance that feels fulfilling and productive for each individual situation. 

athenahealth is committed to a policy of equal employment opportunity—that’s why we recruit and hire applicants without regard to race, color, religion, sex (including pregnancy), national origin, disability, age, sexual orientation, veteran status, genetic information, gender identity, gender expression, or any other factor prohibited by law. We’re happy to provide a reasonable accommodation, for those with a disability, to complete any part of the application process. If you are unable to access or use this online application process and need an alternative method for applying, please contact us at taoperations@athenahealth.com for assistance.

https://www.athenahealth.com/careers/equal-opportunity