Lead Security Engineer

Summary

Join Solace, a healthcare advocacy marketplace, as our first Lead Security Engineer to build and lead our security department. You will be responsible for securing our patient-facing and internal web applications, protecting sensitive health data, and shaping our security posture. This critical role requires balancing agility with robust security practices, owning end-to-end security processes and implementation. You will work cross-functionally with engineering, DevOps, and compliance teams to ensure HIPAA, SOC 2, and general data privacy adherence. The ideal candidate will have extensive experience in web application security and a strong understanding of relevant regulations. Solace is a Series B startup with a fully remote U.S. team.

Requirements

• Experience working in a start-up environment
• 8+ years of experience in web application security or related engineering roles
• Proficiency with secure web development and auditing practices (e.g., input validation, authentication/authorization mechanisms, encryption in transit and at rest)
• Experience with threat modeling, vulnerability scanning tools, and manual security testing
• Familiarity with regulatory/compliance frameworks
• Experience in healthcare or other regulated industries and knowledge of implementing HIPAA compliant software

Responsibilities

• Own web application security across all our products and services (React, Node.js, PostgreSQL, Heroku)
• Promote a security-first culture within the organization by enforcing secure coding practices
• Analyze new and existing features for potential security risks
• Conduct regular threat modeling, vulnerability assessments, and penetration testing (both automated and manual)
• Work cross-functionally with engineering, DevOps, and compliance teams to ensure HIPAA, SOC 2, and general data privacy adherence
• Monitor, detect, and respond to potential threats in real-time
• Lead investigations of security incidents and breaches and perform root cause analysis and support post-incident remediation and reporting
• Stay current on web vulnerabilities (e.g., OWASP Top 10) and mitigate them proactively
• Help foster a security-first culture through training, documentation, and mentorship providing guidance and training to engineering and product teams on secure development practices