Application Security Engineer

Hims & Hers Health, Inc. (better known as Hims & Hers) is a multi-specialty telehealth platform building a virtual front door to the healthcare system. Hims & Hers connects consumers to licensed healthcare professionals, enabling people to access high-quality medical care—from wherever is most convenient—for numerous conditions related to primary care, mental health, sexual health, skincare, and more. Launched in November 2017, the platform also offers thoughtfully created and curated health and wellness products. With products and services available across all 50 states and Washington, D.C., Hims & Hers’ mission is to make it easier for all Americans to access affordable care and treatment for conditions that impact their daily lives. In January 2021, the company was listed on the NYSE at an initial valuation of $1.6 billion and is traded under the ticker symbol “HIMS”. To learn more about our brand and offerings, you can visit forhims.com and forhers.com.

The Application Security Engineer will build and maintain secure distributed systems related to identity and access management, microservice security, web/mobile security, and much more. They will also integrate security features, tools, and validation/detection processes into the product development lifecycle. This role will work closely with Product and Engineering teams to develop tools and processes to automate the identification of security flaws, and identify effective mitigating controls where feasible in the application stack to build resilience into the products. The candidate will partner with Engineering Teams to diagnose, document, and remediate application security vulnerabilities. Additional responsibilities include evaluating, recommending, and implementing application security related solutions in an automated continuous integration/deployment environment. Further, the engineer must be comfortable leading and training developers in secure SDLC best practices. Candidates with strong communication, excellent creative problem-solving skills and experience working on cloud-based products will be most successful in this role. 

Responsibilities:

• Build internal libraries and APIs that help our engineering teams leverage best practices in data security.
• Collaborate with Security, Engineering, Product, and Data teams to incorporate strong security controls, apply security best practices in our development life cycle, and mitigate risks and security vulnerabilities.
• Promote and drive the implementation of a data security architecture that supports Engineering’s and business’ goals and deliverables, through strategy, design, requirements, and code.
• Implement technical prototypes to understand new technologies as well as identify and manage risks for projects in active development.
• Contribute to improving the organization’s data security patterns, security controls and best practices.
• Mentor team members and engineers on security best practices.

You are a good fit if you have:

• 5+ years of software development experience.
• Experience creating public or internal APIs.
• A passion for and a solid understanding of what it takes to build and maintain secure, reliable, observable, and highly scalable systems in collaboration with multiple teams.
• Experience building software with Java, Kotlin, Golang, Rust, Python, or any other concurrency-friendly language.
• Ability to collaborate and provide clear point of view to multiple teams, ensuring results are aligned with company business objectives and delivered within planned timelines.
• Outstanding written and oral communications skills with the ability to develop internal processes and articulate assessment results.

Preferred skills:

• Prior experience in cloud-based product environments.
• Prior experience with modern application architecture (API based), and Web / Mobile applications preferred.
• Bachelor's degree in a relevant technical field/equivalent knowledge and experience.
• Experience with PostgreSQL or other relational databases.
• Familiarity with Cybersecurity Frameworks including OWASP Top 10 & ASVS, NIST 800-53, NIST CSF, CIS Top 20, MITRE ATT&CK, etc.
• Knowledge of cryptography, authentication/authorization, SSO, federation protocols and standards (SSL/TLS, SAML, OAuth2, JWT), microservice security, among others.
• Experience with implementing security controls for data governance laws such as HIPAA, SOC2, PCI, and GDPR.
• Certified in at least one or more of the following security certifications: CISSP, CISM, CEH, GCIH, GCSA, GCPN, GSEC.

Hims is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Hims considers all qualified applicants in accordance with the San Francisco Fair Chance Ordinance.