Pomelo Care is the leading virtual medical practice for women and children, providing care across various stages of life. They are seeking a Senior Software Engineer, Product Security to build automation and tools that integrate security into the software development lifecycle, ensuring the protection of critical systems and patient data.
Responsibilities:
- Design and implement auth enhancements such as magic link improvements and access/audit log features to monitor access and improve transparency
- Lead the privacy engineering initiatives including DSAR integration, building automated data deletion capabilities directly into the Pomelo mobile app and our internal platform to ensure seamless compliance
- Own the end-to-end pentest-to-fix lifecycle, triaging reports, writing code to fix penetration test findings, remediating SAST issues, and building systems for high-volume dependency patching with regression testing
- Build secure-by-default libraries to reduce the load on core Software Engineering by creating internal libraries and patterns that make security the default path
- Partner with engineering leads to conduct threat modeling and ensure secure design at the earliest stages of the development process
- Help engineering squads navigate complex security use cases, translating GRC requirements into elegant code rather than manual checklists
Requirements:
- You have 5+ years of software engineering experience and are ready to pivot to a full-time security role, bringing a strong foundation in computer science and a track record of shipping production-grade code (Python, Go, Kotlin or similar)
- You understand the OWASP Top 10, identity flows and prompt injections, but you'd rather build a system that eliminates a class of vulnerability than manually triage individual alerts
- You believe security expertise should be embedded into the development process, not bolted on at the end
- You enjoy tackling complex problems with practical automation and are keeping up with trends in LLM agents to multiply your engineering impact
- You are comfortable context-switching and can quickly build rapport with different engineering teams to understand their needs
- Have experience with Google Cloud Platform (GCP), Github Advanced Security (GHAS), Stytch, Sentry, Fullstory, Statsig or similar technology stack
- Have prior experience in healthcare data, including understanding of HIPAA, SOC 2 Type 2 and HITRUST compliance requirements
- Have experience building data infrastructure that supports AI/ML workloads, internal developer platforms and privacy preserving data de-identification and anonymization techniques
- Have previously worked in a fast-paced, product-oriented startup environment