hims & hersRemote
Sr. Application Security Engineer
United States of America
Full-time
3 weeks ago
$145,000 - $175,000 USD
No H1B
Key skills
Application SecuritySAST ToolsDAST ToolsPenetration TestingInfrastructure as CodeContainer SecuritySecure Coding PracticesAI/ML SecurityGitHub Advanced SecurityCommunication SkillsCollaborationSelf-MotivatedPythonGoAIMLGraphQLTerraformKubernetesDockerGitHubCloudflareCI/CDCommunicationSnykSonarQubeCheckmarxOWASPWAF
About this role
Hims & Hers is the leading health and wellness platform, on a mission to help the world feel great through the power of better health. They are seeking a Senior Application Security Engineer II to ensure the security of applications throughout the development lifecycle, focusing on modern security practices including AI/ML security considerations.
Responsibilities:
- Conduct security assessments using SAST, DAST, and SCA tools to identify vulnerabilities in applications
- Perform code reviews and provide secure coding guidance to development teams
- Implement and maintain GitHub Advanced Security, including secret scanning and code scanning
- Assess and improve security of Infrastructure as Code (IaC) deployments using Terraform
- Evaluate container security in our Docker and Kubernetes environments
- Support CI/CD security integration and automation
- Conduct penetration testing and red team/purple team exercises on applications
- Review and secure API implementations, with focus on GraphQL security
- Evaluate AI/ML model security and implement protections against prompt injection and other AI-specific threats
- Collaborate with the Staff AppSec Engineer on CIAM and advanced AI security initiatives
- Maintain security documentation and contribute to security awareness training
Requirements:
- Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field
- 5-8 years of experience in application security or related security field
- Hands-on coding experience and ability to review code in multiple languages
- Professional experience with SAST tools (e.g., SonarQube, Checkmarx, Fortify)
- Professional experience with DAST tools (e.g., Burp Suite, OWASP ZAP)
- Professional experience with SCA tools (e.g., Snyk, Black Duck, WhiteSource)
- Experience with GitHub Advanced Security features
- Container security scanning and IaC security scanning tools experience
- Strong understanding of OWASP Top 10 and secure coding practices
- Experience with penetration testing methodologies
- Knowledge of security frameworks: NIST CSF, NIST 800-53, SOC 2, PCI DSS
- Excellent communication skills to articulate security findings to technical and non-technical stakeholders
- Industry certifications such as GIAC (GWEB, GSSP, GCSA), SANS, or OSCP
- Experience with Oligo, Socket, or NowSecure for mobile/runtime security
- AI/ML security and prompt injection prevention experience
- Cloudflare WAF and Bot Management configuration (nice to have)
- Purple team and red team exercise experience
- Security automation and scripting (Python, Go, or similar)
- Contributions to the security community (research, tools, presentations)
- Experience in healthcare or regulated industries