Application Security Engineer
Remote - U.S.
Applications have closed
Ginger
Headspace can support any team, of any size, at any time through EAP, coaching, therapy, psychiatry services, meditation & mindfulness.About us:
At Ginger, we believe that everyone deserves access to incredible mental healthcare. Our on-demand system brings together behavioral health coaches, therapists, and psychiatrists, who work as a team to deliver personalized care, right through your smartphone. The Ginger app provides members with access to the support they need within seconds, 24/7, 365 days a year. Millions of people have access to Ginger through leading employers, health plans, and our network of partners.
Ginger has been recognized by The World Economic Forum as a Technology Pioneer and by Fast Company as one of the Most Innovative Companies in Healthcare.
Ginger is a dynamic and fast growing startup with a forward-looking infrastructure and engineering systems landscape. Ginger operates its infrastructure in the top-class cloud IaaS and PaaS services and utilizes the best of the breed SaaS to power its business. There are many unique challenges and opportunities that are new to the industry and require creative thinking in order to balance the desire to continue to move fast and be nimble, and yet provide first-class privacy to the member's data and build unwavering trust with the members, customers and partners.
About the role:
The Cloud Security Engineer will be a key member of the technical team responsible for worldwide cloud infrastructure and application security at Ginger. You will help protect network boundaries, keep computer systems and network devices hardened against attacks and provide security services to protect highly sensitive data such as user and customer information. You work hands-on with cloud infrastructure and actively monitor the Ginger systems for attacks and intrusions. You also work with software engineers to proactively identify and fix security flaws and vulnerabilities. You use your industry experience to own and drive the resolution of complex security incidents, policy questions and technical security issues. Beyond the methodologies and tools, it is important for you to drive a culture of security and develop an attacker's mind-set.
What you'll do:
- Interact closely with other cyber security architects, privacy officers, engineering, and product management teams to ensure adequate security capabilities and controls are in place within the technology stack to mitigate security risks and meet the highest security and compliance requirements.
- Review webapp and mobile code for security vulnerabilities and propose fixes to the development team.
- Ensure product security via static and dynamic scanning of applications and automation into the integration and deployment pipelines.
- Promote Infrastructure-as-Code and the benefits of resilience, consistency, and rapid iteration of the infrastructure security posture.
- Manage the maturity of the serverless and containerization approach to infrastructure.
- Continuously research, design, advocate and recommend new security technologies, architectures, and products that will ensure meeting all the compliance requirements.
- Function as the go-to individual with in-depth understanding of all security and compliance related nuances within the Ginger stack. Develop the ability to effectively navigate a highly complex environment to independently retrieve technical evidence for gaining assurance over effectiveness of controls.
- Conduct ad-hoc security architecture/application reviews to assess new risks, manage penetration testing researcher relationships, keep abreast of latest cyber security technical risks, and foster a culture of continuous service improvement and service excellence.
Requirements:
- BS degree or higher in Computer Engineering, MIS or in a STEM major (Science, Technology, Engineering or Math)
- 3+ years of relevant experience in architecting security solutions and in-depth knowledge of security protocols/tools, and automation in a regulated industry such as healthcare, banking or financial services
- Strong knowledge and understanding of common web and mobile vulnerabilities and mitigations including OWASP Top 10, Content Security Policy (CSP) and the MITRE ATT&CK framework.
- Experience building and deploying applications using cloud infrastructure on AWS using modern serverless and container technologies.
- Experience configuring and monitoring AWS Security artifacts such as WAF, ALB/ELB, Guard Duty, SSM, Config, CloudTrail, CloudWatch, Inspector, Detective among others.
- Hand on experience with Static and Dynamic vulnerability scanning tools such as SonarQube, Qualys, Rapid7 Appsec, among others.
- Demonstrated understanding of agile secure software development lifecycle and ability to distinguish the core inputs and outputs in each cycle
- Experience in scripting Python, Javascript, Shell programming and mobile app development with iOS, Android and hybrid technologies
- Familiarity with one or more industry security compliance frameworks and/or regulations such as ISO 27001/2, PCI-DSS, HIPAA, GDPR, FedRAMP, CIS, HITRUST, SSAE16, SOC 1, SOC 2, International Privacy Requirements including EU Privacy and Safe Harbor
- Attention to detail and a thorough approach to problem-solving
- Ability to efficiently handle ambiguity and appropriately prioritize competing projects
- Ability to work autonomously on multiple projects with a geographically distributed team
- Strong written and verbal communication skills
Preferred:
- CISSP, CISM certifications
- AWS Practitioner certification
- Certified Ethical Hacker and/or OSCP certification
Tags: Agile Android Application security Automation AWS Banking CISM CISSP Cloud Compliance FedRAMP GDPR HIPAA HITRUST IaaS iOS ISO 27001 JavaScript MITRE ATT&CK Monitoring OSCP OWASP PaaS Pentesting Privacy Product security Python Qualys SaaS Scripting SOC 1 SOC 2 SonarQube STEM Vulnerabilities
Perks/benefits: Health care Startup environment
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Staff Security Engineer jobs
- Open Information Security Specialist jobs
- Open Senior Security Analyst jobs
- Open Security Operations Engineer jobs
- Open Senior Cyber Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Senior Information Security Analyst jobs
- Open Product Security Engineer jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Cybersecurity Analyst jobs
- Open Cyber Security Specialist jobs
- Open Principal Security Engineer jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Specialist jobs
- Open Security Specialist jobs
- Open Chief Information Security Officer jobs
- Open Security Researcher jobs
- Open Senior Penetration Tester jobs
- Open Senior Security Architect jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Senior Cyber Security Specialist jobs
- Open Information System Security Officer (ISSO) jobs
- Open Agile-related jobs
- Open ISO 27001-related jobs
- Open Application security-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open CISM-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open Analytics-related jobs
- Open SaaS-related jobs
- Open IAM-related jobs
- Open CISA-related jobs
- Open Threat intelligence-related jobs
- Open Security assessment-related jobs
- Open DevOps-related jobs
- Open Java-related jobs
- Open Kubernetes-related jobs
- Open EDR-related jobs
- Open Malware-related jobs
- Open APIs-related jobs
- Open IDS-related jobs
- Open Security Clearance-related jobs
- Open CI/CD-related jobs
- Open DevSecOps-related jobs