Offensive Security Engineer

Due to Covid–19 we are working 100% remotely, this includes the hiring process. When it is safe to do so, we will return to a hybrid of onsite and remote work for some positions.
Why This Role Is Important To Arcadia
Arcadia is looking for an Offensive Security Engineer to report directly to our VP of Security, Privacy & Compliance.  In this multi-faceted role, you will be an integral part of our Security team, responsible for designing, conducting and reporting on penetration tests against components of our SaaS web application. You will also work with software developers to ensure secure coding and assist with the remediation of any vulnerabilities identified. 
The Offensive Security Engineer will work as a member for the Information Security team focused on ensuring the security of Arcadia’s Population Health Analytics portfolio through application security testing, code review, and risk/impact analysis of proposed changes and features. This role will partner with both engineering and product to ensure that security requirements are consistently considered and addressed throughout the development and operational lifecycle including ownership of the SDLC Security plan, code review and remediation, pre-production and ongoing application security testing, vulnerability tracking and remediation.The right Offensive Security Engineer can work independently and follow up with various lines of business as needed to ensure timely testing of the application and closure of any findings.  We are looking for someone who is passionate about finding and fixing application vulnerabilities and will be hyper-vigilant in ensuring that all facets of our SaaS web application is secure against attackers.
What Success Looks LikeIn 3 months- Plan and execute penetration tests against web applications and infrastructure; produce reports for stakeholders.- Ensure the implementation of HITRUST controls related to Secure Application Development.- Participate in Information Security & Privacy Steering Committee Meetings.- Conduct code reviews. In 6 months- Track remediation efforts for discovered vulnerabilities and ensure they are patched according to the timeframes specified.- Work with Product and Engineering teams to review new features from a security perspective, perform threat modeling, and conduct code reviews. In 12 months- Participate in building and maturing security capabilities and operations.- Ensure that new product releases are continuously being tested prior to being put into production.

What Will You Be Doing

• Defining, maintaining, and implementing application security best practices to meet HITRUST requirements.
• Owning Security SDLC plan and processes ensuring relevant tasks are completed and required artifacts are created and maintained.
• Providing guidance to Engineering teams during design reviews including threat modeling.
• Integrating security best practices and tooling into our CI/CD processes.
• Evaluating the impact to the organization of current security advisories, publications, and trends.
• Working with Security team and Product stakeholders to build a penetration testing schedule for all products and infrastructure.
• Performing penetration tests and review web applications, source code, operating systems, and network security architectures; find vulnerabilities and define effective strategies for remediation and hardening.
• Performing Red/Purple Team exercises to identify strengths and gaps in defensive tools and processes.
• Explaining and demonstrating vulnerabilities to product stakeholders, provide remediation steps, and design solution prototypes and/or implement security enhancements.
• Tracking and driving remediation efforts for discovered vulnerabilities in web applications and network ensuring they are patched according to the timeframes specified by policy.
• Participating in building and maturing security capabilities and operations.
• Ensuring that the Security Impact Analysis is completed for web/code changes as part of Change Management process.
• Ensuring that all changes are properly tested in a separate test environment prior to being put into production.
• Participating as a key member of Incident Response team as web application and network security SME focused on determining impact, root cause, and resolution associated.
• Identifying, vetting, and coordinating third party vendors in meeting third-party application security testing requirements.

What You'll Bring

• A passion for Application and Network Security with an attacker mindset.
• 3+ years of proven code review and penetration testing experience in both web applications and infrastructure; finding vulnerabilities and defining effective strategies for remediation and hardening.
• Experience testing and securing infrastructure on cloud providers such as AWS/Azure.
• Knowledge of the Secure SDLC.
• A firm understanding of OWASP Top 10.
• Experience with static and dynamic code analysis.
• Strong scripting and development skills in languages such as Java, JavaScript, Ruby, Python.
• Security certifications such as OSCP, OSCE, PNPT, EWPT, ECPTX.
• Ability to write formal assessment reports and to explain vulnerabilities to different stakeholders.
• Knowledge and understanding of attack surfaces and the ability to carry out APT style tactics, techniques, and procedures on enterprise systems and services.

Would Love For You To Have

• Experience threat modeling SaaS products, cloud infrastructure, RESTful microservices, etc
• Applied security research, cryptography, reverse engineering, and fuzzing experience.
• Additional certifications such as OSWE, GPEN, GXPN, or CREST will be very desirable.
• Experience in Vulnerability management within containerized environments
• Strong IaaS security skills, with a focus on AWS
• Understanding of Microsoft Windows Server/AD deployments
• Experience conducting Red Team and Purple Team operations

What You'll Get

• You will work with a team of experts in building and maintaining a highly validated security and privacy program for the leader in Population Health and Healthcare data analytics including experience with certifications such as HITRUST, ISO 27001, and SOC 2.
• Be a part of a team and organization that has built security and privacy into the fabric and culture of the organization.
• You will learn how to build and maintain a fully validated and industry leading security program.
• Your responsibilities will grow with you as a critical member of our team.
• Be a part of a mission driven company that is transforming the healthcare industry by changing the way patients receive care
• A flexible, remote friendly company with personality and heart
• Employee driven programs and initiatives for personal and professional development
• Be a member of the Arcadian and Barkadian Community

About ArcadiaArcadia.io helps innovative healthcare systems and health plans around the country transform healthcare to reduce cost while improving patient health.   We do this by aggregating massive amounts of clinical and claims data, applying algorithms to identify opportunities to provide better patient care, and making those opportunities actionable by physicians at the point of care in near-real time.  We are passionate about helping our customers drive meaningful outcomes. We are growing fast and have emerged as the market leader in the highly competitive population health management software and value-based care services markets, and we have been recognized by industry analysts KLAS, IDC, Forrester and Chilmark for our leadership. For a better sense of our brand and products, please explore our website, our online resources, and our interactive Data Gallery.
This position is responsible for following all Security policies and procedures in order to protect all PHI under Arcadia's custodianship as well as Arcadia Intellectual Properties.  For any security-specific roles, the responsibilities would be further defined by the hiring manager.