Senior Application Security Engineer

Summary

Join Heartflow, a medical technology company revolutionizing precision heart care, as a Senior Application Security Engineer. You will partner with our engineering team to integrate security into our Software Development Lifecycle (SDLC). This role involves defining secure coding practices, threat modeling, implementing developer security tools, and managing vulnerabilities. You will also build security awareness through training and translate compliance requirements into technical specifications. Heartflow offers a competitive salary, cash bonus, and stock options. We are committed to a diverse and inclusive work environment.

Requirements

• Security Communication – Ability to reason about risk in complex environments and communicate that risk to technical and non-technical audiences. Experience leading training, speaking internally/externally about security projects valued
• Securing SDLC – Experience building or improving secure SDLC activities, including threat modeling, code review, security testing and vulnerability management
• Programming Skills – Experience writing and maintaining code in at least one modern programming language and with at least one scripting language (Heartflow uses C++/Python). Comfortable with testing frameworks and CI/CD pipelines
• Infrastructure as Code & Cloud – Familiarity with AWS (or equivalent cloud providers) and configuration tools (Terraform, Chef, Ansible). Experience with containerization (Docker, Kubernetes) and orchestration (GitHub Actions or similar)
• Education & Experience – BS in Computer Science (or related degree) or relevant certifications and equivalent experience. 4+ years experience working in Application Security
• Regulated Environment Readiness – Understanding of—or willingness to learn—compliance, documentation, and quality requirements in medical or similarly regulated fields

Responsibilities

• Partner with the engineering team to define secure coding practices, threat model our products and carry out essential parts of a secure SDLC
• Collaborate with DevOps on identifying and implementing developer tools that support security best practices and identify security risks and vulnerabilities
• Drive vulnerability identification using SAST, DAST and SCA tooling and manage external penetration testing
• Support engineering team on vulnerability management, including risk assessment, remediation and improving identification of vulnerabilities
• Build security awareness through training on secure coding practices, security standards and latest security threats
• Translate security and privacy compliance requirements into technical requirements and support information security team through

Preferred Qualifications

• Healthcare Experience – Current knowledge of HIPAA, HITRUST and the complexities of working in a regulated environment. Experience with Software as a Medical Device (SaMD) is especially valuable
• Knowledge of Modern AI Security Threats – Experience working with or ability to discuss current AI threats for both machine learning and generative AI

Benefits

A reasonable estimate of the base salary compensation range is $125,000 to $185,000 (for locations outside of San Francisco Bay Area) and $146,000 to $210,000 (for San Francisco Bay Area) per year, cash bonus, and stock options