Senior Product Security Engineer

Driven by our mission to make it easier to understand, navigate, and pay for healthcare, Collective Health is evolving the way health benefits work. If you are passionate about our mission and you are an experienced hands-on product and application security professional who is excited about developing and leading a broad range of functions at a mission-driven, highly-regulated technology company, this role is for you. 

You’ll lead initiatives that address the company’s—and some of our industry’s—most complex and important security and architectural challenges. You will build relationships across all parts of the business and drive cross-functional initiatives to continuously improve our security and privacy posture. You will be responsible for building and implementing controls that can scale and optimize as we move into a context-aware security environment.

This role will focus on security architecture, design and engineering disciplines while being able to layout product security maturity, identify program and tool gaps and recommend solutions. Building strong partnerships with Engineering, Product, Risk and customer facing teams is a core tenant of the role and the team. You will help in building an enterprise testing and assessment framework by introducing and integrating security tools, processes & responsibilities with developer ecosystem -- Tools include but not limited to, Dynamic Analysis, Static Analysis, Real time Application Self-Protection, Web application Firewall and Software Composition Analysis. While the Primary set of responsibilities include architecture and design scalability and optimization, other duties such as Penetration testing, design reviews, network and system assessments and following up on identified risks are also a part of this job when and where necessary.

• Design and implement enhancements to our Continuous Integration and Continuous Deployment (CI/CD) pipeline/s to include security controls and appropriate guardrails to help build secure code and scale security processes
• Perform code audits on internal and open source libraries for inclusion in our products and/or for employee consumption
• Perform, and assist other team members, in penetration testing (web application, networks, systems and/or Wifi) and able to effectively translate the technical requirements and findings to appropriate user groups and stakeholders
• Oversee and collaborate with team members, understand their processes and workflows, prioritize their ideas and innovations and develop improvements to ensure successful execution.
• Architect, build and drive implementations of DAST/SAST/SCA/WAF/RASP/IAST solutions in an enterprise environment
• Perform Threat modeling exercises and attack simulation exercises both in the context of internal assessments and while assisting 3rd party penetration testing/gray box testing
• Provide detailed explanations of the security issues found and ensure that those responsible for fixing them have a firm grasp of the fixes that needs to be implemented
• Provide technical leadership and mentorship on security topics to both security and non-security user groups

• Strong Experience with common attack scenarios in various common layers within our infrastructure (cloud-based issues, code quality, insider threat, etc)
• Strong Experience with socializing and building partnership on security programs and user expectations
• Strong Experience with training and mentoring the entire company on security practices and other awareness related exercises
• Deep understanding of information security principles & practices; vulnerability and Risk classes
• Experience programming in one or more of the following languages: Python, JS, Go, ROR or Java
• Experience working with Cloud networks (AWS, GCP, DO, AZURE)
• Practical experience conducting web application security reviews, application and network-based penetration testing, and threat modeling
• Leading technical security experts in the augmentation our Continuous Integration (CI) pipeline to include security testing; collaborate with stakeholders on overall CI/CD vision and implementation strategyFamiliarity with container-based infrastructure orchestration (e.g. Docker, Kubernetes, Meso)
• Maintain awareness of threat intelligence industry security threats and lead management of security incidents

Collective Health is a technology company simplifying employer healthcare to make health insurance work for everyone. With more than 200,000 members and over 45 enterprise clients—including Pinterest, Red Bull, Restoration Hardware, Activision Blizzard, and more—our technical and customer experience teams are reinventing the healthcare experience for forward-thinking employers and their people across the U.S.

Collective Health is headquartered in San Francisco, CA, with additional offices in Chicago, IL, and Lehi, UT. Founded in 2013, Collective Health is backed by the SoftBank Vision Fund, DFJ Growth, PSP Investments, NEA, GV, G Squared, Founders Fund, Maverick Ventures, Mubadala Ventures, Sun Life, and other leading investors. For more information, visit us at https://www.collectivehealth.com

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.