Senior Application Security Engineer

Summary

Join Virta Health as a Senior Application Security Engineer and play a pivotal role in securing our applications and platform. You will be responsible for enhancing security designs within GCP and Kubernetes, championing secure development practices, building and automating security tooling, refining access control, strengthening network security, and developing clear security standards. In this role, you will lead security initiatives, cultivate security awareness, and collaborate with engineering, product, and platform teams. Your initial focus will be on understanding Virta's culture, systems, and security posture, followed by prioritizing and planning improvements, and finally, implementing hands-on solutions. This position requires deep application security expertise, cloud security proficiency, and a strong understanding of automation and IaC principles.

Requirements

• Deep Application Security Expertise: Significant hands-on experience in application security, including threat modeling, secure coding practices, vulnerability management, and security testing (SAST, DAST, IAST)
• Cloud Security Proficiency: Strong understanding and practical experience securing cloud-native applications and infrastructure, particularly within cloud environments (GCP strongly preferred)
• Maturation Mindset: Proven ability to assess existing security designs and strategically mature them over time, moving beyond basic implementations to robust, resilient systems
• Automation & IaC Skills: Experience building security automation and implementing security controls using Infrastructure as Code (IaC) principles (e.g., Terraform)
• Collaboration & Influence: Excellent communication skills with the ability to clearly articulate complex security concepts to diverse audiences and influence technical direction across teams. You're comfortable advocating for security best practices
• Autonomy & Ownership: A proactive, self-directed approach with a strong sense of ownership. You can identify gaps, propose solutions, and drive them to completion independently
• Pragmatic Approach: Ability to balance security requirements with business needs and development velocity, finding practical solutions that enhance security without hindering progress
• Security Fundamentals: Solid grasp of networking concepts, identity management (IAM), encryption, and common web application vulnerabilities (e.g., OWASP Top 10)
• As part of your duties at Virta, you may come in contact with sensitive patient information that is governed by HIPAA. Throughout your career at Virta, you will be expected to follow Virta's security and privacy procedures to ensure our patients' information remains strictly confidential. Security and privacy training will be provided

Responsibilities

• Own and Enhance Security Design: Assess our current security controls within GCP and Kubernetes, identify areas for improvement, and drive the maturation of our security posture from good to great
• Champion Secure Development: Partner closely with Engineering, Product, and Platform teams to integrate security best practices early and often ("shift-left") into the software development lifecycle
• Build and Automate: Design, implement, and manage security tooling and automation to streamline vulnerability detection, remediation, and compliance verification. Replace manual processes with efficient, automated solutions
• Refine Access Control: Evolve our identity and access management (IAM) strategy, ensuring least-privilege access and robust auditing capabilities across our systems
• Strengthen Network Security: Continuously improve our network security architecture, policies, and controls within our cloud environment
• Develop Clear Standards: Establish, document, and communicate practical security policies, standards, and guidelines for engineering teams
• Lead Security Initiatives: Drive vulnerability management efforts and enhance our incident response preparedness, ensuring we are ready to handle potential threats effectively
• Cultivate Security Awareness: Act as a security evangelist, promoting security awareness and best practices throughout the engineering organization

Preferred Qualifications

Regulated Environment Experience (Bonus): Experience working in healthcare, fintech, or other highly regulated industries is a plus

Benefits

• Virta has a location based compensation structure. Starting pay will be based on a number of factors and commensurate with qualifications & experience. For this role, the compensation range is $192,026 - $248,000
• Information about Virta’s benefits is on our Careers page at: https://www.virtahealth.com/careers
• As a remote-first company, our team is spread across various locations with office hubs in Denver and San Francisco