Cloud Security Engineer
At Ginger, we believe that everyone deserves access to incredible mental healthcare. Our on-demand system brings together behavioral health coaches, therapists, and psychiatrists, who work as a team to deliver personalized care, right through your smartphone. The Ginger app provides members with access to the support they need within seconds, 24/7, 365 days a year. Millions of people have access to Ginger through leading employers, health plans, and our network of partners.
Ginger has been recognized by The World Economic Forum as a Technology Pioneer and by Fast Company as one of the Most Innovative Companies in Healthcare.
Ginger is a dynamic and fast growing startup with a forward-looking infrastructure and engineering systems landscape. Ginger operates its infrastructure in the top-class cloud IaaS and PaaS services and utilizes the best of the breed SaaS to power its business. There are many unique challenges and opportunities that are new to the industry and require creative thinking in order to balance the desire to continue to move fast and be nimble, and yet provide first-class privacy to the member's data and build unwavering trust with the members, customers and partners.
About the role:
The Cloud Security Engineer will be a key member of the technical team responsible for worldwide cloud infrastructure and application security at Ginger. You will help protect network boundaries, keep computer systems and network devices hardened against attacks and provide security services to protect highly sensitive data such as user and customer information. You work hands-on with cloud infrastructure and actively monitor the Ginger systems for attacks and intrusions. You also work with software engineers to proactively identify and fix security flaws and vulnerabilities. You use your industry experience to own and drive the resolution of complex security incidents, policy questions and technical security issues. Beyond the methodologies and tools, it is important for you to drive a culture of security and develop an attacker's mind-set.
What you'll do:
- Interact closely with other cyber security architects, privacy officers, engineering, and product management teams to ensure adequate security capabilities and controls are in place within the technology stack to mitigate security risks and meet the highest security and compliance requirements.
- Review webapp and mobile code for security vulnerabilities and propose fixes to the development team.
- Ensure product security via static and dynamic scanning of applications and automation into the integration and deployment pipelines.
- Promote Infrastructure-as-Code and the benefits of resilience, consistency, and rapid iteration of the infrastructure security posture.
- Manage the maturity of the serverless and containerization approach to infrastructure.
- Continuously research, design, advocate and recommend new security technologies, architectures, and products that will ensure meeting all the compliance requirements.
- Function as the go-to individual with in-depth understanding of all security and compliance related nuances within the Ginger stack. Develop the ability to effectively navigate a highly complex environment to independently retrieve technical evidence for gaining assurance over effectiveness of controls.
- Conduct ad-hoc security architecture/application reviews to assess new risks, manage penetration testing researcher relationships, keep abreast of latest cyber security technical risks, and foster a culture of continuous service improvement and service excellence.
- BS degree or higher in Computer Engineering, MIS or in a STEM major (Science, Technology, Engineering or Math)
- 3+ years of relevant experience in architecting security solutions and in-depth knowledge of security protocols/tools, and automation in a regulated industry such as healthcare, banking or financial services
- Strong knowledge and understanding of common web and mobile vulnerabilities and mitigations including OWASP Top 10, Content Security Policy (CSP) and the MITRE ATT&CK framework.
- Experience building and deploying applications using cloud infrastructure on AWS using modern serverless and container technologies.
- Experience configuring and monitoring AWS Security artifacts such as WAF, ALB/ELB, Guard Duty, SSM, Config, CloudTrail, CloudWatch, Inspector, Detective among others.
- Hand on experience with Static and Dynamic vulnerability scanning tools such as SonarQube, Qualys, Rapid7 Appsec, among others.
- Demonstrated understanding of agile secure software development lifecycle and ability to distinguish the core inputs and outputs in each cycle
- Familiarity with one or more industry security compliance frameworks and/or regulations such as ISO 27001/2, PCI-DSS, HIPAA, GDPR, FedRAMP, CIS, HITRUST, SSAE16, SOC 1, SOC 2, International Privacy Requirements including EU Privacy and Safe Harbor
- Attention to detail and a thorough approach to problem-solving
- Ability to efficiently handle ambiguity and appropriately prioritize competing projects
- Ability to work autonomously on multiple projects with a geographically distributed team
- Strong written and verbal communication skills
- CISSP, CISM certifications
- AWS Practitioner certification
- Certified Ethical Hacker and/or OSCP certification