About The Position
Fabric handles protected health information at scale across 75+ health systems and millions of patient encounters. Security is built into how Fabric works. As a Senior Application Security Engineer, you will own the application security practice at Fabric, partnering directly with engineering to embed security throughout the development lifecycle, build the tooling and automation that keeps our platform secure, and ensure our applications meet the compliance standards our health system customers require. This is a new headcount reporting to the VP of Infrastructure.
Requirements
- 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review.
- Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar.
- Experience integrating SAST and DAST tooling into CI/CD pipelines.
- Deep understanding of the OWASP Top 10 and common application vulnerabilities.
- Experience with threat modeling methodologies.
- Familiarity with cloud security in AWS environments.
- Understanding of HIPAA or other regulated industry security requirements.
Nice To Haves
- Experience securing healthcare applications or working with PHI.
- Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs.
- Security certifications such as OSCP, GWEB, or BSCP.
- Experience with bug bounty program management.
- SOC 2 or HITRUST audit support experience.
Responsibilities
- Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications.
- Conduct security-focused code reviews and provide actionable guidance on secure coding practices.
- Lead threat modeling exercises for new features and architectural changes.
- Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation.
- Implement and manage SAST and DAST tooling integrated into CI/CD pipelines.
- Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data.
- Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements.
- Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner.
- Run secure coding training and awareness programs for engineering teams.
- Serve as the internal subject matter expert on application security and lead response to application-layer security incidents.
Benefits
- Medical
- Dental
- Vision
- Unlimited PTO
- 401(K) plan
- Stock options
- Bonuses
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Senior
Education Level
No Education Listed
Number of Employees
251-500 employees
