Pomelo Care is the leading virtual medical practice for women and children, providing comprehensive care through technology. They are seeking a Senior Software Engineer, Product Security to enhance security within their software development lifecycle by building automation, tools, and workflows to protect critical systems and patient data.
Responsibilities:
- Design and implement auth enhancements such as magic link improvements and access/audit log features to monitor access and improve transparency
- Lead the privacy engineering initiatives including DSAR integration, building automated data deletion capabilities directly into the Pomelo mobile app and our internal platform to ensure seamless compliance
- Own the end-to-end pentest-to-fix lifecycle, triaging reports and writing code to fix penetration test findings, remediating SAST issues, and building greenkeeping systems for high-volume dependency patching with regression testing
- Build secure-by-default libraries to reduce the load on core Software Engineering by creating internal libraries and patterns that make security the default path
- Partner with engineering leads to conduct threat modeling and ensure secure design at the earliest stages of the development process
- Help engineering squads navigate complex security use cases, translating GRC requirements into elegant code rather than manual checklists
Requirements:
- 5+ years of software engineering experience
- Strong foundation in computer science
- Track record of shipping production-grade code (Python, Go, Kotlin or similar)
- Understanding of the OWASP Top 10
- Familiarity with identity flows and prompt injections
- Ability to build systems that eliminate classes of vulnerabilities
- Experience with practical automation
- Comfortable navigating ambiguity and context-switching across engineering teams
- Experience with Google Cloud Platform (GCP)
- Experience with Github Advanced Security (GHAS)
- Experience with Stytch, Sentry, Fullstory, Statsig or similar technology stack
- Prior experience in healthcare data, including understanding of HIPAA, SOC 2 Type 2 and HITRUST compliance requirements
- Experience building data infrastructure that supports AI/ML workloads
- Experience with internal developer platforms and privacy preserving data de-identification and anonymization techniques
- Previous work experience in a fast-paced, product-oriented startup environment