Application Security Engineer


Hims & Hers logo
Hims & Hers
hims is a one-stop telehealth service for men's wellness and care, providing treatment options for hair loss, ED & more
Apply now Apply later

Hims & Hers Health, Inc. (better known as Hims & Hers) is a multi-specialty telehealth platform building a virtual front door to the healthcare system. Hims & Hers connects consumers to licensed healthcare professionals, enabling people to access high-quality medical care—from wherever is most convenient—for numerous conditions related to primary care, mental health, sexual health, skincare, and more. Launched in November 2017, the platform also offers thoughtfully created and curated health and wellness products. With products and services available across all 50 states and Washington, D.C., Hims & Hers’ mission is to make it easier for all Americans to access affordable care and treatment for conditions that impact their daily lives. In January 2021, the company was listed on the NYSE at an initial valuation of $1.6 billion and is traded under the ticker symbol “HIMS”. To learn more about our brand and offerings, you can visit and

The Application Security Engineer will integrate security features, tools, and validation/detection processes into the product development lifecycle. This role will work closely with Product and Engineering organizations to model cyber security threats, coordinate or perform proactive vulnerability scan, penetration test, develop tools and processes to automate the identification of security flaws, and identify effective mitigating controls where feasible in the application stack to build resilience into the products. The candidate will partner with Engineering Teams to diagnose, document, and remediate application security vulnerabilities. Additional responsibilities include evaluating, recommending, and implementing application security related solutions in an automated continuous integration/deployment environment. Further, the engineer must be comfortable leading and training developers in secure SDLC best practices. Candidates with strong communication, excellent creative problem-solving skills and experience working on cloud-based products will be most successful in this role. 



  • Partner with Product Development Teams to formulate and implement a strategy for software security that is tailored to the specific risks faced by the product and its targeted consumers
  • Conduct application security assessments and aggregate threat intelligence regularly to identify attack vectors against applications and products
  • Perform threat modeling/ design risk analysis/ security assessments in partnership with engineering and product partners, providing guidance that balances security requirements with functional requirements
  • Mitigate risk by updating the protection mechanism by leveraging appropriate tools and solutions
  • Develop and maintain a risk-based application security program based on a well-defined application security framework
  • Develop application security awareness and training curriculum in collaboration with Engineering Organization
  • Drive development of common security solutions and frameworks  including but not limited to Application and API Identity and Access Management
  • Continuously evaluate the organization's existing application security practices, define and measure security-related activities, and demonstrate concrete improvements to the application assurance program within the engineering organization
  • Coordinate or conduct application penetration testing and drive remediation efforts to completion
  • Identify, develop, and integrate security testing tools, including but not limited to SAST, IAST, and SCA, into continuous integration and continuous development framework
  • Provide recommendations on security requirements to be included in product design and security testing
  • Provide recommendations to the Risk Management Framework process activities and related documentation
  • Research and design ways to achieve risk reduction objectives in creative ways, including rapidly growing our current tool stack where appropriate
  • Ensure integrity and confidentiality of data
  • Key member of the security incident response team
  • Document security processes and standards

Experience & Skills:

  • 5+ years of software development experience
  • Deep expertise in software development with elements of security is a must
  • Experience building software solutions using common programming languages like Java, Kotlin, Node.js, and Python
  • Familiarity with Cybersecurity Frameworks including NIST 800-53, NIST CSF, CIS Top 20, MITRE ATT&CK, etc.
  • Thorough knowledge of OWASP Top 10 & ASVS
  • Deep knowledge of cryptography, authentication and authorization protocols and standards, including SSL/TLS, SAML, OAuth, JWT Tokens
  • Ability to collaborate and provide clear point of view to multiple teams, ensuring results are aligned with company business objectives and delivered within planned timelines
  • Outstanding written and oral communications skills with the ability to develop internal processes and articulate assessment results
  • Preferably certified in at least one or more of the following security certifications: CISSP, CISM, CEH, GCIH, GCSA, GCPN, GSEC

Preferred Experience & Skills:

  • Prior experience in cloud-based product environments 
  • Prior experience with modern application architecture (API based), and Web / Mobile applications 
  • Possess a desire to (ethically) break into things and can communicate the attack scenarios and mitigation options based on standard framework 
Job region(s): Remote/Anywhere
Job stats:  58  15  0
  • Share this job via
  • or

Explore more Information Security career opportunities