Product Security Manager

About RoRo is the healthcare technology company building a patient-centric healthcare system. Ro's vertically-integrated primary care platform powers a personalized, end-to-end healthcare experience from diagnosis, to delivery of medication, to ongoing care. With a nationwide provider network, in-home care API, and proprietary pharmacy distribution centers, Ro is the only company to seamlessly connect telehealth and in-home care, diagnostics, and pharmacy services nationwide to provide high-quality, affordable healthcare without the need for insurance. Since 2017, Ro has facilitated more than six million digital healthcare visits in nearly every county in the United States, including 98% of primary care deserts. Ro also provides its patient-centric solutions including Workpath, its in-home care API, and Kit, its at-home diagnostic testing service, to other healthcare companies. Visit Ro.co for more information.
Ro was named #2 in Wellness on Fast Company's 2019 list of the World's Most Innovative Companies, listed by Inc. Magazine as a Best Place to Work in 2020 and 2021, and named one of FORTUNE's 2021 Best Workplaces In Health Care.
The Product Security Team protects the security and privacy of our patients by enabling product teams to build scalable and secure-by-design technologies. We do this by collaborating with Engineering Managers and Product Managers in devising, implementing, and communicating a well-rounded approach to application security. With direct influence on strategic initiatives at Ro, you will be relied upon to provide engineering and product teams with the security expertise necessary to make confident product decisions. 
This role is a player-coach leadership position: managerial while also a hands-on technical expert revealing and mitigating weaknesses in products and infrastructure. You will provide guidance to development teams that results in more secure products for our patients while driving the entire Product Security team to maintain progress on roadmapped strategic initiatives. The Product Security team scales through security partnerships and tooling/automation–you coordinate the team to make that happen. With a proven background in application security, you will provide mentorship not just to your fellow AppSec engineers but to software and infrastructure engineers across the company. This role reports directly to the Director of Product Security and will work closely with both product teams and business leaders across the company.

What You'll Do:

• Meet product teams at eye level: Lead and coordinate the Product Security team in security partnerships across the company. The team enables product teams by providing security guidance on new frameworks and technologies early in product development. As an application security expert, you’ll partner with product teams as well. 
• Be preventive over prescriptive: Identify shortfalls and align product security resources in security and privacy initiatives
• Provide on-going care: Regularly review and analyze design, architectures, existing systems services, and applications from a security perspective via black box testing, code reviews, automation, threat modeling and research
• Incorporate expertise from specialists: Interact directly with the security community regarding vulnerabilities or threats through our vulnerability disclosure program and by attending AppSec conferences
• Elevate the field with knowledge: Actively promote sound application security engineering practices across the company through security education, mentor/coach fellow Product Security Engineers, drive input and proposals to application security strategy and product roadmaps

What You'll Bring:

• B.S. or M.S. in Computer Science Computer Engineering, Electrical Engineering, or other relevant majors, or equivalent experience
• 7+ years of application security experience such as design reviews, threat modeling, security mitigation development, and application security tooling/automation
• Knowledge and experience in various disciplines of application security but an expert in at least one: web application security, mobile app security, network security, applied cryptography, cloud computing/infrastructure, application security-specific tooling (DAST, SAST, RASP, WAFs, etc.)
• A diverse set of leadership tools, establishing and maintaining relationships with business leaders, experience mentoring and supporting peers and engineering teams, encouraging the best engineering practices, and leading by example
• A deep knowledge in secure coding principles and has the ability to conduct a comprehensive review in at least one topical area from the OWASP Application Verification Standard or Mobile AppSec Verification Standard (e.g., cryptography, injection, XSS, AuthN/AuthZ, modern identity frameworks)
• The ability to vet and provision 3rd party engineering training materials/platforms and experience building or leading a company-wide security champions program
• Experience leading a Vulnerability Disclosure Program or Bug Bounty Program through a vendor relationship
• A track record of success in securing scalable web and/or mobile applications while limiting impact to developer velocity to the extent possible 
• Solid experience in writing and reviewing code in at least one of the following programming languages: JavaScript (Node JS), Go, Python, Swift
• A deep understanding of how to translate product and business goals into tech and how to stay focused on the most impactful
• Excellent troubleshooting skills in a highly collaborative environment, effectively breaking down complex projects and ensuring their delivery in a timely manner

Benefits + Perks:

• Full medical, dental, and vision insurance + OneMedical membership
• Healthcare and Dependent Care FSA
• Commuter benefits
• 401(k)
• Flexible PTO
• Fitness reimbursement
• Paid maternity/parental leave 
• A never-ending supply of office snacks + coffee + tea
• The cutest office dog you’ve ever seen

At Ro, we believe that our diverse perspectives are our biggest strengths — and that embracing them will create real change in healthcare. As an equal opportunity employer, we are committed to building an inclusive environment where you can be you.
See our California Privacy Policy here.