Key skills
JavaScriptTypeScriptPythonRubyReactNode.jsRuby on RailsRailsAWSSDLCCI/CDOWASPPenetration TestingCloud Security
About this role
Fabric Health is a mission-driven company focused on solving healthcare's biggest challenge: clinical capacity. As a Senior Application Security Engineer, you will lead the application security practice, partnering with engineering teams to embed security throughout the development lifecycle and ensure compliance with industry standards.
Responsibilities:
- Secure Development & Code Review: Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications. Conduct security-focused code reviews and provide actionable guidance on secure coding practices
- Threat Modeling & Assessment: Lead threat modeling exercises for new features and architectural changes. Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation
- DevSecOps & Tooling: Implement and manage SAST and DAST tooling integrated into CI/CD pipelines. Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data
- Compliance & Risk: Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements. Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner
- Security Education & Culture: Run secure coding training and awareness programs for engineering teams. Serve as the internal subject matter expert on application security and lead response to application-layer security incidents
Requirements:
- 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review
- Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar
- Experience integrating SAST and DAST tooling into CI/CD pipelines
- Deep understanding of the OWASP Top 10 and common application vulnerabilities
- Experience with threat modeling methodologies
- Familiarity with cloud security in AWS environments
- Understanding of HIPAA or other regulated industry security requirements
- Experience securing healthcare applications or working with PHI
- Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs
- Security certifications such as OSCP, GWEB, or BSCP
- Experience with bug bounty program management
- SOC 2 or HITRUST audit support experience