Application Security Engineer

Collective Health, San Francisco

Leading the healthcare evolution

Our security team at Collective Health is at the heart of the company’s success. We spend a lot of time actively working with the broader community instead of opposing them, and we find that it passes off in spades. As part of the security team you’ll be responsible for ensuring the success of a collaborative security pipeline we’ve built out and actively encourage and promote the security internal SDLC we have here.


  • Augmenting our Continuous Integration and Continuous Deployment pipeline to include security better security controls
  • Perform code audits on internal and open source libraries for inclusion in our products
  • Assist in the architecting of new products, features and capabilities
  • Partner with shareholders from the various teams we have here in order to ensure good security outcomes
  • Perform application vulnerability assessments and Penetration testing on Core applications and 3rd party solutions
  • Provide detailed explanations of the security issues found and ensure appropriate explanations are provided and remediations are performed according to the SLA
  • Leading technical security experts in the augmentation our Continuous Integration (CI) pipeline to include security testing; collaborate with stakeholders on overall CI/CD vision and implementation strategy
  • Provide technical leadership and mentorship on security topics
  • Contribute to the security industry through open source software, research, white papers or presentations

Minimum Qualifications

  • Experience programming in one or more of the following languages: Python, Go or Java
  • Experience working with Cloud networks (AWS, GCP, DO, AZURE)
  • Experience with common attack scenarios in various common layers within our infrastructure (cloud-based issues, code quality, insider threat, etc)
  • Deep understanding of information security principles
  • Practical experience conducting web application security reviews and moderate knowledge in  network-based penetration testing

Desired Qualifications

  • Understanding of a wide range of application based vulnerability classes (ex: SQLi, XSS)
  • Strong scripting experience and moderate programming experience in the security field (custom tools, workflows etc)
  • Well versed with Application security principles and architectural best practices
  • Knowledge and awareness on building Threat and Risk models for application suite
  • Ability to perform secure code review and translate findings into a remediation patterns
  • Published work in the vulnerability research or information security field

If many or most of the following items apply to you, we'd love to talk!

  • 5+ years of experience in a regulated organization (e.g HIPAA compliance - pharma, biotech, health insurance)
  • 3-5+ years building or running technical security teams
  • Experience as an accountable “Security Officer” of a regulated environment or organization (e.g. FISMA, HIPAA, PCI-DSS)
  • Hands on technical and/or development expertise in Application or Product Security domains including:
    • 2+ years Static and Dynamic Analysis Techniques management experience (developing models or executing analysis tooling)
    • 2+ years of Java, Ruby, Go, or Python Software Application development management experience
    • 3+ years of Web application vulnerabilities discovery or detection management
  • Deep understanding of information security principles
  • Ability to work effectively and influence groups throughout the organization.
  • Relevant network and network security experience (OSI model, firewalls, 802.1x, IPS, IDS, VPN)
  • Relevant systems security experience (HIDS, system hardening, cgroups etc)
  • Experience automating security incident event monitoring infrastructure

You get extra bonus points for:

  • You have contributed to and maintained open source projects
  • Experience working with Public Cloud Services (AWS, Azure, etc)
  • Familiarity with Service Oriented Architecture and/or micro-services based architecture
  • Familiarity with container-based infrastructure orchestration (e.g. Docker, Kubernetes, Meso)
  • Experience with NIST security frameworks 
  • Experience working in Healthcare, Financial, or other regulated environment
  • Experience with breaking encryption, authentication, or authorization system flows

Collective Health is a technology company working to create the healthcare experience we all deserve. Founded in 2013, our team of engineers, designers, product managers, and actuaries are redefining the $1 trillion market of employer-sponsored health benefits with data-driven and people-focused products. Our complete health benefits solution helps great companies like Activision Blizzard, Palantir, Restoration Hardware, and Pinterest take care of their people by harnessing the power of design and technology. Based in San Francisco, CA, we’re backed by some of the best investors in Silicon Valley including Google Ventures, Founders Fund, NEA, and Redpoint Ventures. For more information, visit us at https://www.collectivehealth.com.

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.

About Collective Health

While medical technology continues to take giant steps forward, somehow the systems driving health coverage are still stuck in the past. The experience we have today is confusing. It’s painful. And we all deserve better. Collective Health was founded on the belief that better is possible. Driven by our mission to make understanding, navigating, and paying for care effortless, we’ve evolved the way health benefits work. More than 155 million Americans count on an employer for coverage. That's why, with the technology to create a more intelligent solution and the compassion to know that every person matters, we deliver a connected healthcare experience for companies who want the best for their employees.

Want to learn more about Collective Health? Visit Collective Health's website.