Key skills
Application SecuritySecurity AssessmentsPenetration TestingSecure Code ReviewRubyPythonJavaScriptTypeScriptSAST ToolingDAST ToolingCI/CD PipelinesOWASP Top 10Threat ModelingAWSHIPAAPHI SecurityFHIRHL7Epic APIsCerner APIsOSCPGWEBBSCPSOC 2HITRUSTReactNode.jsRuby on RailsRailsSDLCCI/CDOWASPCloud Security
About this role
Fabric is a company that handles protected health information across numerous health systems. As a Senior Application Security Engineer, you will lead the application security practice, partnering with engineering teams to integrate security throughout the development lifecycle and ensuring compliance with health system standards.
Responsibilities:
- Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications
- Conduct security-focused code reviews and provide actionable guidance on secure coding practices
- Lead threat modeling exercises for new features and architectural changes
- Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation
- Implement and manage SAST and DAST tooling integrated into CI/CD pipelines
- Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data
- Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements
- Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner
- Run secure coding training and awareness programs for engineering teams
- Serve as the internal subject matter expert on application security and lead response to application-layer security incidents
Requirements:
- 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review
- Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar
- Experience integrating SAST and DAST tooling into CI/CD pipelines
- Deep understanding of the OWASP Top 10 and common application vulnerabilities
- Experience with threat modeling methodologies
- Familiarity with cloud security in AWS environments
- Understanding of HIPAA or other regulated industry security requirements
- Experience securing healthcare applications or working with PHI
- Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs
- Security certifications such as OSCP, GWEB, or BSCP
- Experience with bug bounty program management
- SOC 2 or HITRUST audit support experience