Spring Health is a global mental health company on a mission to eliminate every barrier to mental health. They are seeking a Senior Application Security Engineer II to play a key role in maturing and expanding their AppSec programs while helping shape new initiatives such as a Secure AI Development Lifecycle.
Responsibilities:
- Contribute to the advancement of secure-by-design practices within the team’s S-SDLC program, including participation in architecture reviews, design consultations, and security guidance across the development lifecycle
- Mentor engineers on secure coding practices, AppSec fundamentals, and career growth, fostering a collaborative environment where the team grows stronger together
- Facilitate the development of an AI-assisted threat modeling program, spanning risk identification, security architecture, and proactive program maturity, enabling the ability to scale threat modeling across the organization
- Contribute to maturing the team’s established SAST, SCA, and DAST programs through rule tuning, coverage improvements, and identifying opportunities to strengthen security controls as the organization scales
- Perform security-focused code reviews of internal and open-source libraries, prioritizing findings by exploitability and business impact
- Support vulnerability remediation efforts by assessing impact, proposing solutions, and validating fixes in accordance with the team’s established remediation workflows
- Identify and implement process improvements and security automation using languages such as Go, Python, JavaScript, or Ruby, including the integration of AI tooling to improve team workflows and program efficiency
- Contribute to security assessments of AI-integrated product features, including LLM APIs, vector databases, and RAG pipelines, with a focus on risks such as prompt injection, data leakage, and model supply-chain vulnerabilities
- Contribute to the research, design, and development of a Secure AI Development Lifecycle (ADLC) in accordance with the OWASP Top 10 for LLM Applications and emerging adversarial ML guidance
- Evaluate and recommend AI-assisted security tooling, including AI-augmented SAST and LLM-powered code review, to improve program coverage and team efficiency
Requirements:
- 7+ years of professional experience in application security or a closely related security engineering discipline, including experience working on complex, ambiguous problem areas independently
- Hands-on experience with DAST, SAST, and SCA tools, and manual testing techniques (OWASP, SANS Top 25)
- Demonstrated experience securing CI/CD pipelines with commercial and custom-built tooling
- Experience with IaaS cloud infrastructure (AWS, Azure, or GCP), container technologies, and service-oriented architectures
- Security automation experience in at least one of: Go, Python, JavaScript, or Ruby
- Familiarity with AI/ML security concepts — prompt injection, adversarial inputs, model supply-chain risks, and the OWASP LLM Top 10
- Working knowledge of AI and LLM tooling (e.g., OpenAI, Anthropic, LangChain, or equivalent) sufficient to assess security risk and integrate into automated workflows
- Experience implementing controls aligned to NIST CSF, HIPAA, HITRUST, ISO-27001, or SOC-2
- Strong cross-functional collaboration skills, with experience working alongside engineering, product, and leadership stakeholders to define and advance security priorities and plans
- Bachelor's degree in Computer Science, Engineering, MIS, IT, or equivalent work experience
- 3+ years of demonstrated experience in security architecture, including designing and reviewing security controls across cloud-based, distributed, or service-oriented systems
- Experience leading or contributing to the development of a formal threat modeling program, including tooling selection, methodology design, and adoption across engineering teams
- Hands-on experience evaluating or implementing AI security tooling, including AI-augmented testing, LLM security assessments, or automated risk analysis
- Experience managing a bug bounty or vulnerability disclosure program
- Experience in digital health, healthcare technology, or other HIPAA-regulated environments