Lead Security Engineer

Here at Hinge Health, we welcome all applicants and know a diverse team makes us better and stronger. We look for individuals who embody our leadership principles and we value varied experiences and skill sets. Beyond specific work experience, we also look for unique capabilities and skill sets that are key indicators an applicant will thrive in our fast-paced, frequently evolving environment. If this sounds like the kind of place you'd like to be part of, please apply - we would love to hear from you!

Hinge Health Hybrid Model:

We believe that remote work and in-person work have their own advantages and disadvantages, and we want to be able to leverage the best of both worlds. Employees in hybrid roles are required to be in the office 2 days/week. We will be expanding to 3 days/week in the office beginning April of 2024.

About the Role

We're looking for a detail oriented and technically proficient individual to join us in maturing the Application and Product Security group within the Security team. This function is growing, and you will have an opportunity to help shape the group's direction and grow with it.

Security Engineers will evaluate requests for the use of new AWS services, make recommendations whether the service should be used in our environment and if approved assess the risks, and create standards and guidelines for use of those services.

A Security Engineer will evaluate these requests for new infrastructure or changes to existing infrastructure against the Security pillar of the AWS Well-Architected Framework, HIPAA, HITRUST, CIS Benchmarks, other regulatory requirements and other security best practices and frameworks as needed.

Security Engineers (Infrastructure and DevOps) focus on where our applications interact with and rely on infrastructure components, typically AWS, and our CI/CD pipeline. You will work directly with Engineering teams including developers, Developer Experience (CI/CD), SRE and other infrastructure teams to integrate security into stages of our Secure Software Development Life Cycle. This includes, working closely with the Developer Experience team to ensure all Application Security tools and scanners are integrated into CI/CD pipelines in a standardized manner while meeting all the needs of the Application Security team.

This role will also respond to security related design and implementation questions regarding infrastructure (AWS), integrated/supporting SaaS tools, and Application Security originating from Engineering teams with a focus on quick response and resolution to enable these teams to implement secure infrastructure, CI/CD pipelines, and internally developed microservices in a timely manner.

They may also be expected to assist in proactively identifying, assessing, advising engineering teams in the prioritization and remediation of source code security vulnerabilities. Security Engineers are expected to do so using multiple methods and tools including but not limited to manual penetration testing, outputs from automated security scanning tools including Software Composition Analysis, Static Application Security Testing, Dynamic Application Security Testing, and the findings from third-party application penetration tests.

Security Engineers also work with the Security Operations and Infrastructure teams to deploy and maintain security tools within the Hinge Health environment and assist in the tuning of these tools.

Security Engineers will be part of the incident response team as subject matter experts as needed. They may also be called upon as subject matter experts to assist other teams with third party security assessment requests.

WHAT YOU'LL ACCOMPLISH

• Evaluate requests for the use of new AWS services, make recommendations whether the service should be used in our environment and if approved assess the risks, create standards and guidelines for use of those services.
• Review proposed changes and additions to AWS infrastructure against the Security pillar of the AWS Well-Architected Framework, HIPAA, HITRUST, other regulatory requirements and other security best practices and frameworks as needed.
• Contribute to the improvement of existing standards and guidelines for the use of IaaS infrastructure and related SaaS platforms including those hosted within AWS.
• Review Terraform Infrastructure as Code (IaC) change requests to ensure the changes meet all security requirements and verify the change being made adheres to the reviewed design.
• Review current and proposed integrations between Hinge Health infrastructure and third party SaaS platforms and integrations partners/clients. Assist Security Risk team with risk assessments of these platforms and integrations and the IAM team with any required service accounts, API keys, etc.
• Contribute to the improvement of Software Development Life Cycle management policies, procedures, and standards.
• Implement automated security scanning tools (SCA, SAST, DAST, etc.) into the CI/CD pipeline and assist with triage and risk assessment of results.

WHAT WE'RE LOOKING FOR

• Securing Cloud Infrastructure: Ability to use well known control frameworks (HITRUST CSF, NIST, etc.), vendor best practices (AWS Well-Architected Framework) and security industry best practices to develop policies, procedures and standards for the secure use of a variety of cloud hosted services. Examples include but are not limited to applying the principle of least privilege in design AWS IAM permissions, securing Amazon EKS, Amazon Aurora, and Amazon S3.
• Automate Security Testing: Ability to configure and automate security scans as part of the CI/CD process, interpret the results and work directly with engineers on prioritization and remediation.
• Communication: Ability to partner with engineers and product managers to implement security by design.
• Judgment: Ability to assess the risk of vulnerabilities, tradeoffs in designs, etc. to categorize and prioritize remediation work.
• Incident Handling: Be able to work as a subject matter expert in the security controls, internal communications, and infrastructure of Hinge Health applications during security incidents.
• Proactive: Enjoys proactively, asking questions and examining systems and processes for possible flaws and reaching out to relevant teams to identify and verify vulnerabilities that may not have been found by automated scanning and schedule manual reviews.

BONUS POINTS

• Experience securing applications in Health Care, securing ePHI and HIPAA/HITECH regulations.
• Experience with any of the following, deploying web based services on AWS infrastructure, Kubernetes, Aurora/RDS, GitHub Actions, Terraform IaC
• Familiarity with HITRUST CSF and NIST control frameworks.
• Experience in Threat Modeling
• Typescript, ReactNative, Ruby on Rails, GraphQL
• Experience performing security assessments and secure design of hardware and firmware of medical devices communicating over Bluetooth

About Hinge Health:

LinkedIn recently named Hinge Health one of the Top 50 Startups. Forbes, Fast Company, and Inc. have also recognized our technology, innovation, and culture.

Since our founding in 2014, we've raised more than $800 million from leading investors, including Coatue and Tiger Global. We work with 1000 customers across every industry and the public sector - including Salesforce, Verizon, and the State of New Jersey - to give more than 23 million people access to the care they need. We're positioned to continue leading the market with unmatched investments in clinical research, care innovation, machine learning, AI, and computer vision.

Diversity and Inclusion:

We're committed to building diverse teams that reflect the communities we serve. Visit hingehealth.com/diversity-equity-and-inclusion to learn more about what moves us.

Hinge Health is an equal opportunity employer and prohibits discrimination and harassment of any kind. We make employment decisions without regards to race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability status, pregnancy, or any other basis protected by federal, state or local law. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements.

We provide reasonable accommodations for candidates with disabilities. If you feel you need assistance or an accommodation due to a disability, let us know by reaching out to your recruiter.

By providing your information through this page or applying for a job at Hinge Health, you acknowledge that Hinge Health will collect, use, and process your information as part of our job application process. For more information on how Hinge Health processes your personal information, click here to view our Applicant and Personnel Privacy Notice.

Disclaimer:

There continues to be a significant increase in phishing attempts across all industries where fraudsters are impersonating real employees and sending fictitious job offers to applicants in a scheme to obtain sensitive information. Please note that we will never ask for your financial information at any part of the interview process including the post-offer stage, and will only correspond through @hingehealth.com domain email addresses.

If you encounter any suspicious activity, we recommend you cease all communication with the individual and consider reporting them to the U.S. FBI Internet Crime Complaint Center. If you would like to verify the legitimacy of an email you received from our recruiting team, please forward it to security@hingehealth.com

Please do not send resumes via email