Charlie Health is a company focused on improving access to behavioral healthcare. They are seeking a Lead Security Engineer to enhance secure development practices across the software development lifecycle and ensure the creation of secure, HIPAA-compliant software solutions.
Responsibilities:
- Collaborate with product and IT engineering teams to design secure applications and features
- Educate developers on secure coding practices and security testing
- Serve as a subject matter expert on internal application security and SDLC controls
- Conduct code reviews, threat models and risk assessments to identify and mitigate vulnerabilities early
- Perform internal penetration testing and support incident response for application-level issues
- Continuously monitor the threat landscape to proactively adjust defenses and strategies
- Develop and implement tools and frameworks to integrate security into CI/CD pipelines
- Work with teams to build and enforce secure SDLC controls in a fast-paced agile environment
- Own and enhance application vulnerability management and remediation processes
- Lead implementation of security policies, standards and remediation processes
- Work cross-functionally to balance security risks with business objectives and product timelines
- Participate in security incident response, forensic investigations and security incident postmortems related to applications and systems
Requirements:
- 5+ years of experience in application security, secure software development, or related roles
- Bachelor's degree in Computer Science or related field, or equivalent experience
- Proficiency in secure coding practices and languages such as TypeScript, Node, Python, Java, C++ or similar
- Ability to contribute code changes to production applications as needed, including debugging, fixing security vulnerabilities, and collaborating with engineering teams on secure feature development
- Hands-on experience with application security tools (e.g., Burp Suite, OWASP ZAP, Fiddler)
- Deep understanding of web application vulnerabilities: XSS, CSRF, SQLi, session management, etc
- Experience implementing security in CI/CD pipelines such as GitHub Action and agile development workflows
- Familiarity with management and deployment of SAST, DAST, and SCA tooling
- Knowledge of authentication technologies (i.e. Auth0, Okta, etc) and how to securely integrate them with applications
- Strong communication skills with ability to clearly articulate risk to technical and non-technical audiences
- Experience with HIPAA and securing applications in healthcare environments
- OSCP, OSWE or other relevant security certifications
- Experience securing custom software collaboratively on a team
- Familiarity with AWS cloud platform
- Experience contributing to or managing bug bounty programs
- Knowledge of security standards such as SOC2, ISO 27001/2, NIST 800-53, HITRUST, or HIPAA Security Rule
- Ability to write proof-of-concept exploits and perform advanced security analysis