Pomelo CareRemote
Senior Product Security Engineer
United States
Full Time
2 hours ago
$175,000 - $200,000 USD
H1B Sponsor
Key skills
Software EngineeringSecurity MindsetAutomationPythonGoogle Cloud PlatformHealthcare Data ComplianceContext SwitchingGoKotlinAIMLLLMGCPGoogle CloudSentryGitHubOWASP
About this role
Pomelo Care is the national leader in evidence-based healthcare for women and children, and they are seeking a Senior Product Security Engineer to enhance their security measures within software development. This role involves designing secure architectures, leading privacy initiatives, and managing the full lifecycle of security remediations, all while collaborating closely with engineering teams.
Responsibilities:
- Design and implement auth enhancements such as magic link improvements and access/audit log features to monitor access and improve transparency
- Lead the privacy engineering initiatives including DSAR integration, building automated data deletion capabilities directly into the Pomelo mobile app and our internal platform to ensure seamless compliance
- Own the end-to-end pentest-to-fix lifecycle, triage reports, write code to fix penetration test findings, remediate SAST issues, and build greenkeeping systems for high-volume dependency patching with regression testing
- Build secure-by-default libraries to reduce the load on core Software Engineering by creating internal libraries and patterns that make security the default path
- Partner with engineering leads to conduct threat modeling and ensure secure design at the earliest stages of the development process
- Help engineering squads navigate complex security use cases, translating GRC requirements into elegant code rather than manual checklists
Requirements:
- 5+ years of software engineering experience with a strong foundation in computer science and a track record of shipping production-grade code (Python, Go, Kotlin or similar)
- Understand the OWASP Top 10, identity flows and prompt injections
- Ability to build a system that eliminates a class of vulnerability rather than manually triage individual alerts
- Belief that security expertise should be embedded into the development process, not bolted on at the end
- Enjoy tackling complex problems with practical automation
- Keeping up with trends in LLM agents to multiply engineering impact
- Comfortable context-switching and can quickly build rapport with different engineering teams to understand their needs
- Experience with Google Cloud Platform (GCP), Github Advanced Security (GHAS), Stytch, Sentry, Fullstory, Statsig or similar technology stack
- Prior experience in healthcare data, including understanding of HIPAA, SOC 2 Type 2 and HITRUST compliance requirements
- Experience building data infrastructure that supports AI/ML workloads, internal developer platforms and privacy preserving data de-identification and anonymization techniques
- Previously worked in a fast-paced, product-oriented startup environment