Principal Security Engineer

About The Position

Requirements

• Experience: 8+ years of progressive security engineering experience, including at least 4 years in a senior or principal application security or product security role.
• Application Security Expertise: Deep technical proficiency in OWASP Top 10, threat modeling, SAST/DAST tooling, secure code review, API security, and authentication/authorization patterns. You must be comfortable reading code in TypeScript/JavaScript and Python and engaging meaningfully with engineering teams on security trade-offs.
• AI/ML Security Knowledge: Demonstrated understanding of AI/ML security risks including prompt injection, model supply chain attacks, data leakage in LLM integrations, and agentic AI trust boundaries. Proven experience with OWASP LLM Top 10 and NIST AI RMF.
• Cloud-Native SaaS Experience: Hands-on experience securing cloud-native SaaS applications, preferably on AWS with containerized and Kubernetes workloads, IaC pipelines, and microservices architectures.
• Vendor Risk Assessment: Proven experience evaluating third-party AI/ML platforms and vendors for security and compliance risk in HIPAA-regulated or similarly regulated environments, including BAA assessment and data handling review.
• Independent Execution: Proven ability to operate independently in a fast-paced, lean environment and influence engineering outcomes without direct authority. This is a small team—you will own your domains fully.
• Communication: Excellent written and verbal communication skills; able to translate technical risk into business impact for executive and non-technical stakeholders, including board- and investor-level reporting.
• HIPAA & Compliance: Strong working knowledge of HIPAA Security Rule requirements as applied to a cloud SaaS architecture, and experience supporting SOC 2 Type II compliance programs.

Nice To Haves

• Education: Bachelor’s degree in Computer Science, Information Security, or a related technical field
• Certifications: One or more industry certifications: OSCP, CSSLP, AWS Security Specialty, CISSP, or equivalent security practitioner credential.
• Healthcare Domain Knowledge: Familiarity with clinical documentation standards, EMR data sets, and the nuances of HIPAA compliance in a SaaS product context.
• Security Tooling Experience: Hands-on experience with Wiz, CrowdStrike Falcon, Rapid7 InsightIDR/InsightVM, or comparable enterprise cloud and endpoint security platforms.
• AI Framework Familiarity: Exposure to agentic AI development frameworks and an understanding of how these architectures introduce novel security challenges.
• GitLab & Supply Chain Security: Experience with GitLab CI/CD pipeline security, dependency scanning, and software supply chain security controls.
• PAM Experience: Familiarity with privileged access management solutions (Teleport, BeyondTrust, CyberArk) and certificate-based access control models.
• Team Mentorship & Influence: Previous experience providing technical leadership in a hybrid internal/external team environment, shaping security standards across engineering without formal authority.

Responsibilities

• Security Design Reviews: Lead application security architecture reviews for WebPT’s SaaS platforms, including new feature designs, third-party integrations, and major platform changes submitted through the change management process.
• Threat Modeling: Own and facilitate threat modeling sessions with product and engineering stakeholders, translating findings into actionable developer guidance, architectural guardrails, and risk-accepted documentation.
• Secure SDLC: Help define and evolve WebPT’s Secure Software Development Lifecycle (SDLC), embedding security checkpoints into GitLab CI/CD pipelines and development workflows without creating unnecessary friction.
• SAST/DAST Ownership: Oversee application security testing tooling, triage findings by risk, and drive remediation with engineering teams—balancing thoroughness with the pace of a lean environment.
• API & Auth Standards: Serve as the internal authority on API security, secrets management, authentication and authorization patterns (OAuth 2.0, SAML, OIDC), and input validation across microservices and legacy systems.
• AI Security: Serve as the primary security resource for AI/ML integration decisions, including agentic AI workflows, LLM-based features, ambient listening, and third-party AI platform technologies.
• AI Governance Framework: Define and maintain WebPT’s AI security standards and AI vendor risk assessment criteria, including evaluation of AI/ML platforms for HIPAA BAA compliance, data residency, prompt injection risk, and model confidentiality.
• AI Security Controls: Partner with engineering and product to design security guardrails for AI feature development: input/output validation, audit logging, human-in-the-loop controls, and AI supply chain integrity.
• Shadow AI Discovery: Drive AI Shadow IT discovery and governance initiatives, analyzing telemetry from Wiz, CrowdStrike, and network/DNS sources to identify unauthorized AI tool usage across the environment.
• Emerging Threat Awareness: Stay current with AI threat vectors and regulatory guidance (NIST AI RMF, OWASP LLM Top 10, HHS AI policy) and translate these into WebPT-specific controls and policy updates.
• Cloud Security Posture: Partner with Cloud Operations to maintain and continuously improve WebPT’s security posture across cloud environments, leveraging Wiz for cloud security assessment and misconfiguration detection.
• IaC & Container Security: Provide security architecture input for infrastructure-as-code pipelines, container security, and CI/CD pipeline hardening in GitLab.
• Vulnerability Management: Contribute to vulnerability management strategy including EOL technology remediation, CVE triage, and risk-based prioritization in partnership with Cloud Operations and the broader security team.
• WAF & Network Controls: Provide security guidance on WAF configuration (F5), network segmentation, and secrets management across the production environment.
• Engineering Partnership: Participate actively in change management and security review processes, providing timely, risk-calibrated assessments and serving as a trusted partner to engineering—not a gatekeeper.
• Team Mentorship: Mentor other engineers on the Security team, providing technical coaching on application security concepts, tool usage, and security investigation techniques.
• Documentation & Evangelism: Produce clear security architecture decision records, threat model summaries, risk assessments, and remediation roadmaps; evangelize secure development practices across the engineering organization.
• Executive Communication: Represent security in cross-functional forums with engineering, product, and operations leadership; translate complex security risks into business-relevant language for board- and investor-ready reporting.
• PEN Testing & Compliance: Contribute to external penetration test scoping, coordination, and remediation, and support SOC 2 Type II and HIPAA compliance audit cycles as a technical subject matter expert.