Senior Application Security Engineer

Remote Position

Applications have closed
Invitae logo
Invitae

Location: San Francisco, CA or Remote throughout US

Invitae is dedicated to bringing comprehensive genetic information into mainstream medicine to improve healthcare for billions of people. Our team is driven to make a difference for the patients we serve. We are leading the transformation of the genetics industry, by making genetic testing affordable and accessible for everyone to guide health decisions across all stages of life. 

Our Information Security Team is pushing the envelope on shift left strategies to ensure all software development and IT operations at Invitae adhere to security best practices from inception to implementation.  We’re looking for individuals passionate about furthering this vision and helping to redefine what state of the art means!

What you’ll do:

The Sr. Application Security Engineer will be responsible for: 

  • Ensuring web applications, APIs and cloud services are planned, designed, developed, implemented, and monitored in accordance with the Information Security Policy and associated HITRUST, HIPAA, PCI and SOX security controls
  • Developing, implementing and monitoring enterprise information security architectures and solutions. 
  • Designing and automating assessments through penetration testing and ethical hacking, then analyzing security risks and recommending mitigating and compensating security controls.
  • Working closely with the Security Operations Team to develop new incident response plans and playbooks related to web application security threats
  • Working closely with engineering and QA to ensure security principles are enforced in all stages of the software development lifecycle
  • Participating in source code reviews and providing assessments of changes to application design and architecture prior to release to production
  • Working closely with cross functional teams to embed security, logging, and auditing in all applications hosted within the corporate and cloud environments
  • Performing assessments of security tools, vendors and solutions to support information security roadmap initiatives
  • Developing and maintaining a program to deliver on demand training associated with high risk coding practices and detected software security vulnerabilities
  • Working closely with Security Governance & Compliance to develop and deliver required compliance training related to secure software development best practices
  • Performing internal penetration testing working closely with the engineering team to assess and prioritize discovered security issues and vulnerabilities
  • Maintaining and supporting application security tools, including static and dynamic security analysis solutions, and developing relevant documentation
  • Leading a cross functional team of security and engineering champions to mature software development practices throughout the organization based upon BSIMM guiding principles
  • Working closely with the CISO to develop metrics and dashboards for executive reporting on the progress and status of application security initiatives and objectives

What you bring:

  • Minimum 7+ years of experience in Information Security with an emphasis on application security
  • At least one security related certification, such as CISSP, GIAC, CSSLP, CEH required.  OSCP strongly preferred.
  • Experience with the development, deployment, and automation of application security solutions in an enterprise cloud based environment
  • Deep understanding of OWASP Top 10 and CWE/SANS Top 25
  • Demonstrated proficiency in ethical hacking and white hat penetration testing techniques
  • In-Depth knowledge of web application architecture, API development, and MVS frameworks required
  • Proven ability to manage priorities & deadlines and to work independently in a highly dynamic and diverse environment with multiple concurrent projects happening simultaneously. 
  • Demonstrated experience in investigating security issues related to web application exploits, credential stealing and authentication-based exploits
  • Familiar with threat models for large, distributed systems and cloud-based SaaS infrastructure

Preferred:

  • Experience in DevOps environments and maintaining security in CI/CD processes highly desired
  • Solid understanding of AWS architecture and services
  • Knowledge of technical security control environments and compliance frameworks including CSA CCM, ISO 270001 and SOC 2. Strong understanding of HITRUST highly desired.
  • Hands-on technical proficiency with Burp Suite, Metasploit and Kali Linux highly preferred.
  • Experience in creating detailed solution design documents & diagrams
  • Demonstrated ability to facilitate automation and integration through scripting highly preferred.
  • Demonstrated proficiency in JavaScript, HTML, React/Angular and Python.  Programming experience in Java, Go, Scala, Python, C++ or C highly preferred.

At Invitae, we value diversity and provide equal employment opportunities (EEO) to all employees and applicants without regard to race, color, religion, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of the San Francisco Fair Chance Ordinance.

 

#L1-HS1

#LI-Remote

Job region(s): Remote/Anywhere
Job stats:  13  1  0

Explore more Information Security career opportunities