Offensive Security Engineer

Arcadia is dedicated to happier, healthier days for all. We transform diverse data into a unified fabric for health. Our platform delivers actionable insights for our customers to advance care and research, drive strategic growth, and achieve financial success. For more information, visit arcadia.io.
Why This Role Is Important To Arcadia
Arcadia is looking for a Offensive Security Engineer to report directly to our Security Manager.  In this multi-faceted role, you will be an integral part of our Information Security team, responsible for designing, conducting and reporting on penetration tests against components of our SaaS-based Analytics Platform and supporting web applications. You will also work with software developers to ensure secure coding and assist with the remediation of any vulnerabilities identified. 
The Offensive Security Engineer will work as a member of the Information Security team focused on ensuring the security of Arcadia’s product portfolio and corporate network through security testing, code review, and risk/impact analysis of proposed changes and features. This role will partner with both engineering and product teams to ensure that security requirements are consistently considered and addressed throughout the development and operational lifecycle, including SDLC security plan, code review and remediation, pre-production and ongoing application security testing, vulnerability tracking and remediation.We are looking for someone who is passionate about finding and fixing application and infrastructure vulnerabilities and will be hyper-vigilant in ensuring that all facets of our Analytics Platform, supporting web applications, and the corporate network is secure against attackers.
What Success Looks LikeIn 3 months- Plan and start executing penetration tests against web applications and infrastructure; produce reports for stakeholders- Ensure the implementation of HITRUST controls within the scope of your responsibilities- Develop and maintain an organization’s threat profile and threat models- Develop monthly threat landscape updates In 6 months- Track remediation efforts for discovered vulnerabilities and ensure they are remedied according to the timeframes specified- Work with Product and Engineering teams to review new features from a security perspective, perform threat modeling, and conduct code reviews- Strengthen the code review process In 12 months- Participate in building and maturing security capabilities and operations- Ensure that new product releases are continuously being tested prior to being put into production

What You'll Be Doing

• Responsible for conducting and coordinating penetration testing and red teaming activities, researching and analyzing vulnerabilities, identifying relevant threats, developing corrective action recommendations, and summarizing and reporting results.
• Develop and refine methodologies to conduct Red Team operations successfully and consistently covering all areas of technology.
• Design and develop scripts, frameworks, tools, and the methods required for facilitating and executing complex scenarios, emulating malicious actor behavior aimed at avoiding detection.
• Perform manual penetration testing of web applications, APIs, and internal and external networks.
• Coordinate external penetration and web application scanning activities.
• Document in detail the results of assessments, audits, tests, and verification activities.
• Perform manual validation of vulnerabilities.
• Defining, maintaining, and implementing application security best practices to meet HITRUST and other security requirements.
• Providing guidance to Engineering teams during design reviews, including threat modeling.
• Develop and maintain the Information Security team’s threat models/profiles.
• Coordinate and facilitate tabletop exercises.
• Evaluating the impact on the organization of current security advisories, publications, and trends.
• In partnership with the Security Architect, review web applications, source code, operating systems, and network security architectures to identify vulnerabilities and define effective strategies for remediation and hardening.
• Explaining and demonstrating vulnerabilities/findings to product stakeholders, providing remediation steps, and designing solution prototypes and/or implementing security enhancements.
• Participating in building and maturing security capabilities and operations.
• Participating as a key member of the Incident Response team and serve as a web application and network security SME focused on determining impact, root cause, and resolution associated when needed.
• Identifying, vetting, and coordinating third-party vendors in meeting third-party application security testing requirements.

What You'll Bring

• A passion for security and an attacker mindset.
• 3+ years of proven code review and penetration testing experience in both web applications and infrastructure; finding vulnerabilities and defining effective strategies for remediation and hardening.
• Experience testing and securing infrastructure on cloud providers such as AWS/Azure.
• Applied Secure SDLC knowledge.
• Experience with static and dynamic code analysis.
• Strong scripting and development skills in languages such as Java, JavaScript, Ruby, Python, etc.
• Security certifications such as OSCP, OSCE, OSAP, eCPPTv2, PNPT.
• Ability to write formal assessment reports and to explain vulnerabilities to different stakeholders.
• Knowledge and understanding of attack surfaces for enterprise systems and services.
• Solid understanding of TCP/UDP ports and protocols and web requests including POST, GET, HTTP headers, user agents, request parameters, cookies, etc.
• Solid understanding of the OAuth 2.0 authorization flow, JWT, and how to identify and exploit common vulnerabilities in web-based applications and network environments.
• Self-starter with the ability to work independently, interface with multiple teams, and willingness to overcome challenging problems while identifying opportunities for improvement.

Would Love For You To Have

• Experience threat modeling SaaS products, cloud infrastructure, RESTful microservices, etc.
• Significant hands-on penetration testing experience and offensive capabilities in numerous core competency areas including web applications, mobile applications, cloud infrastructure, etc.
• Experience with a variety of open-source and commercial testing tools in areas such as web interception proxies, packet capture, debugging, and API interaction.
• Understanding of hashing, encryption, and hash cracking technology.
• Experience developing exploits and adding functionality to open-source tools.
• Applied security research, cryptography, reverse engineering, and fuzzing experience.
• Additional certifications such as OSWE, GPEN, GXPN, CREST, OSEP, CRTO, or BSCP will be very desirable.
• Experience in vulnerability management within containerized environments.
• Strong SaaS and cloud security skills, with a focus on AWS.
• Understanding of common Microsoft Active Directory/Azure AD environment security and related vulnerabilities.
• AWS Certified Solutions Architect, AWS Certified Security Specialist or similar certifications preferred, CCSP or CISSP.  

What You'll Get

• You will work with a team of experts in building and maintaining a highly validated security and privacy program for the leader in Population Health and Healthcare data.
• Be a part of a team and organization that has built security and privacy into the fabric and culture of the organization.
• Your responsibilities will grow with you as a critical member of our team.
• Be a part of a mission-driven company that is transforming the healthcare industry by changing the way patients receive care.
• The opportunity to work for an amazing, fast-growing software company leveraging a highly scalable cloud platform.
• Become an expert in all elements of securing clinical and claims healthcare data in the cloud.
• A flexible, remote-friendly company with personality and heart.
• Employee-driven programs and initiatives for personal and professional development.
• Awesome work environment.
• Competitive compensation/benefits package.
• Great benefits like flextime time off.

About ArcadiaArcadia.io helps innovative healthcare systems and health plans around the country transform healthcare to reduce cost while improving patient health.   We do this by aggregating massive amounts of clinical and claims data, applying algorithms to identify opportunities to provide better patient care, and making those opportunities actionable by physicians at the point of care in near-real time.  We are passionate about helping our customers drive meaningful outcomes. We are growing fast and have emerged as the market leader in the highly competitive population health management software and value-based care services markets, and we have been recognized by industry analysts KLAS, IDC, Forrester and Chilmark for our leadership. For a better sense of our brand and products, please explore our website, our online resources, and our interactive Data Gallery.
This position is responsible for following all Security policies and procedures in order to protect all PHI under Arcadia's custodianship as well as Arcadia Intellectual Properties.  For any security-specific roles, the responsibilities would be further defined by the hiring manager.