Staff Engineer, Product Security
United States
Applications have closed
One Medical
One Medical is committed to providing the best primary care through exceptional quality, a world-class experience, and second-to-none technology. Our highly-rated doctors take most insurance plans and are accepting new patients.About Us
One Medical is a primary care solution challenging the industry status quo by making quality care more affordable, accessible and enjoyable. But this isn’t your average doctor’s office. We’re on a mission to transform healthcare, which means improving the experience for everyone involved - from patients and providers to employers and health networks. Our seamless in-office and 24/7 virtual care services, on-site labs, and programs for preventive care, chronic care management, common illnesses and mental health concerns have been delighting people for the past fifteen years.
In February 2023 we marked a milestone when One Medical joined Amazon. Together, we look to deliver exceptional health care to more consumers, employers, care team members, and health networks to achieve better health outcomes. As we continue to grow and seek to impact more lives, we’re building a diverse, driven and empathetic team, while working hard to cultivate an environment where everyone can thrive.
The Opportunity
The Product Security team at One Medical consults with and supports our Product team, which has developed a very large code base that comprises a full-featured Electronic Medical Records system, as well as patient-facing applications. The Product Security team reviews architecture, design, and code, maintains security-related scanning in the CI/CD pipeline, and serves as expert consultants to engineers, engineering managers, and product managers regarding all efforts to keep patient and corporate data safe.
This role reports to the Manager of Product Security, but also works frequently with the Senior Director of Information Security. You will work as a high-level technical liaison between the Product Security team and Product Development technical leadership roles, such as Principal Engineers, Engineering Managers, the VP of Engineering, and the VP of Data Science and Analytics. You will think strategically, not just tactically, and are comfortable with complexity and situations where there is no perfect solution. This role is a partner (not a gatekeeper) for Product Development staff, and works to raise the security bar through education and counsel. You will help provide technical guidance regarding our CI/CD pipeline (Github, Dependabot, Semgrep, Stackhawk, etc.) as well as Amazon tooling. At One Medical, we expect a Security Staff Engineer to be involved with local and virtual communities with regard to one or more of our stacks: Rails, Node, Go, Python, and others. A Staff Engineer must also have significant hands-on familiarity with at least one of these frameworks and its tooling. Here at One Medical, Security is not a waterfall-style afterthought; it’s baked into our software development processes and represents a “shift-left” style of security collaboration. You’ll be especially adept at providing software developers options, rather than strict requirements for security.
The team itself is highly collaborative and is always sharing learning from its own team members, as well as teams that are adjacent to it in the security organization – those neighbor teams are our colleagues in Enterprise Security and Detection and Response. Product Security also interacts with our Technical Compliance group when they are reviewing our compliance with HIPAA, SOX, SOC 2, and other regulatory and compliance frameworks.
What you'll work on:
- Participate in Product Development architecture and strategy meetings and discussions; in particular, you are a sounding board and guide for architectural considerations regarding access control and systems integration
- Help align One Medical’s application security practices with Amazon’s secure-by-design patterns
- Conduct Application Security Assessments, Security Architecture Reviews, and Threat Modeling
- Analyze security test results, document risks, and recommend mitigating controls
- Design new security automation and select tooling to improve our detection of application vulnerabilities, and to assist in the remediation of findings
- Provide security subject matter expertise to the Product Security team itself, as well as to development teams, developing secure coding practices, and develop hands-on training to developers and quality engineers
- Contribute to our incident response and vulnerability remediation efforts
- Security research, presentation, security industry collaboration, and participation in hackathons
- On occasion, step in on hands-on security testing and code review of internally developed applications
What you’ll need:
- 7+ years of application security experience, or 5+ years of application security experience and 2+ years of software development experience
- Proven skills communicating and collaborating with product development leadership
- Significant experience collaborating with product development teams
- Significant experience in leading application security assessments, security architecture reviews, threat modeling, manual code reviews, and security design reviews
- Proven track record mentoring and maturing product security engineers
- Experience with providing security recommendation and guidance in at least two of the following languages/frameworks: Ruby on Rails, Python, GoLang, JavaScript, React, Angular, Swift, Kotlin, C, C++
- Extensive experience identifying, testing, and remediating against vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25
- Experience building automation and/or writing scripts to solve security problems
Not required, but would be great if you also have:
- OSCP, OSWE, GPEN or similar certifications
- Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications
- Experience working in highly regulated environments subject to compliance requirements such as HIPAA and PCI
- Experience with authentication/authorization technologies, like OpenID Connect, JWTs, SAML, and HMACs
- Experience with the security considerations for data pipelines, reporting, ML, and LLMs
- Experience with mobile security reviews and testing
- Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them
- Familiarity with books and articles by authors such as Loren Kohnfelder, Adam Shostack, Dafydd Stuttart, etc.
- A writing sample that is a threat model, security design review, or a memo to development team regarding an issue (this could be blacked out for confidential information)
- Good sense of humor :)
Benefits designed to aid your health and wellness:
Taking care of you today
- Paid sabbatical after 5 and 10 years
- Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
- Competitive Medical, Dental and Vision plans
- Free One Medical memberships for yourself, your friends and family
- Pre-Tax commuter benefits
- PTO cash outs - Option to cash out up to 40 accrued hours per year
Protecting your future for you and your family
- 401K match
- Opportunity to participate in company equity programs
- Credit towards emergency childcare
- Company paid maternity and paternity leave
- Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
- Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance
This is a full-time role based anywhere in the United States.
One Medical is committed to fair and equitable compensation practices.
The base salary range for this role is $152,000 to $270,000 annually. However, actual compensation packages are based on several factors that are unique to each candidate. These factors include, but are not limited to, job related knowledge and skill set, depth of experience, certifications and/or degrees, and specific work location.
The total compensation package for certain roles may also include additional components such as a sign-on bonus, equity grants in the form of RSUs, medical and other benefits and/or other applicable incentive compensation plans.
#LI-HH1
One Medical is an equal opportunity employer, and we encourage qualified applicants of every background, ability, and life experience to contact us about appropriate employment opportunities.
One Medical participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S. Please refer to the E-Verification Poster (English/Spanish) and Right to Work Poster (English/Spanish) for additional information.
Tags: Analytics Application security Automation C CI/CD Compliance GitHub Golang GPEN HIPAA Incident response JavaScript Kotlin LLMs Mobile security OpenID OSCP OSWE OWASP Product security Python Ruby SAML SANS Security assessment SOC SOC 2 SOX Strategy Vulnerabilities
Perks/benefits: 401(k) matching Career development Competitive pay Equity Health care Insurance Medical leave Paid sabbatical Parental leave Salary bonus Signing bonus Wellness
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Specialist jobs
- Open Senior Cyber Security Engineer jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Principal Security Engineer jobs
- Open Product Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Manager Pentest H/F jobs
- Open Staff Security Engineer jobs
- Open Cyber Security Specialist jobs
- Open Senior Information Security Analyst jobs
- Open Cybersecurity Analyst jobs
- Open Chief Information Security Officer jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Security Specialist jobs
- Open Senior Penetration Tester jobs
- Open Senior Security Architect jobs
- Open Cybersecurity Specialist jobs
- Open Security Researcher jobs
- Open IT Security Engineer jobs
- Open Security Operations Analyst jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open ISO 27001-related jobs
- Open Pentesting-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open Malware-related jobs
- Open DevOps-related jobs
- Open IDS-related jobs
- Open Security Clearance-related jobs
- Open Forensics-related jobs
- Open EDR-related jobs
- Open CEH-related jobs
- Open Kubernetes-related jobs