Lead Security Engineer

About The Position

Requirements

• 5+ years of experience in application security, secure software development, or related roles.
• Bachelor’s degree in Computer Science or related field, or equivalent experience.
• Proficiency in secure coding practices and languages such as TypeScript, Node, Python, Java, C++ or similar.
• Ability to contribute code changes to production applications as needed, including debugging, fixing security vulnerabilities, and collaborating with engineering teams on secure feature development.
• Hands-on experience with application security tools (e.g., Burp Suite, OWASP ZAP, Fiddler).
• Deep understanding of web application vulnerabilities: XSS, CSRF, SQLi, session management, etc.
• Experience implementing security in CI/CD pipelines such as GitHub Action and agile development workflows.
• Familiarity with management and deployment of SAST, DAST, and SCA tooling
• Knowledge of authentication technologies (i.e. Auth0, Okta, etc) and how to securely integrate them with applications
• Strong communication skills with ability to clearly articulate risk to technical and non-technical audiences.
• Please note: candidates located within a 75-minute commute of our NYC office are expected to work onsite 4 days/w

Nice To Haves

• Experience with HIPAA and securing applications in healthcare environments.
• OSCP, OSWE or other relevant security certifications.
• Experience securing custom software collaboratively on a team.
• Familiarity with AWS cloud platform.
• Experience contributing to or managing bug bounty programs.
• Knowledge of security standards such as SOC2, ISO 27001/2, NIST 800-53, HITRUST, or HIPAA Security Rule.
• Ability to write proof-of-concept exploits and perform advanced security analysis.

Responsibilities

• Security Integration & Guidance
• Collaborate with product and IT engineering teams to design secure applications and features.
• Educate developers on secure coding practices and security testing.
• Serve as a subject matter expert on internal application security and SDLC controls.
• Assessment & Threat Modeling
• Conduct code reviews, threat models and risk assessments to identify and mitigate vulnerabilities early.
• Perform internal penetration testing and support incident response for application-level issues.
• Continuously monitor the threat landscape to proactively adjust defenses and strategies.
• Tooling & Automation
• Develop and implement tools and frameworks to integrate security into CI/CD pipelines.
• Work with teams to build and enforce secure SDLC controls in a fast-paced agile environment.
• Own and enhance application vulnerability management and remediation processes.
• Collaboration & Policy
• Lead implementation of security policies, standards and remediation processes.
• Work cross-functionally to balance security risks with business objectives and product timelines.
• Participate in security incident response, forensic investigations and security incident postmortems related to applications and systems.

Benefits

• Charlie Health is pleased to offer comprehensive benefits to all full-time, exempt employees.
• Read more about our benefits here.
• The total target base compensation for this role will be between $180,000 and $240,000 per year at the commencement of employment.
• Please note, pay will be determined on an individualized basis and will be impacted by location, experience, expertise, internal pay equity, and other relevant business considerations.
• Further, cash compensation is only part of the total compensation package, which, depending on the position, may include stock options and other Charlie Health-sponsored benefits.