Lead Security Engineer (Remote)

One in two people experience debilitating back, neck, shoulder, or joint pain — but traditional treatments have failed to meet their needs. Physical therapy can be expensive and hard to access; appointments often involve long commutes and missed work. Making matters worse, unresolved pain can trigger the overuse of opioids and surgeries.

Join us in reimagining healthcare from the ground up. We’re making high-quality care accessible by pairing wearable sensors and computer vision with a world-class clinical team. Hinge Health puts a digital clinic in every member’s pocket. Now millions of people can access personalized digital care from a physical therapist, guidance on behavior change from a health coach, and expert consultations with an orthopedic surgeon. With a single app and wearable technology like our Enso device, we’re helping to reduce pain, surgeries, and opioid use.

Work From Anywhere

Hinge Health employees have the flexibility to work remotely in hubs across the US, Canada, and Latin America or work from our offices in San Francisco, Portland, and Montreal.

About The Role

We’re looking for a detail oriented and technically proficient individual to join us in maturing the Product Security group within the Security team. This function is growing, and you will have an opportunity to help shape the group’s direction and grow with it.

Security Engineers work directly with our Product and Engineering teams to integrate security into the entire Software Development Life Cycle. This includes, working with Product Managers on the design of new or changing features that affect security controls, working with developers on secure methods to implement those features, and working with the infrastructure team to design and deploy a secure platform to run Hinge Health applications.

They are expected to proactively identify, assess, advise and assist in the prioritization and remediation of source code security vulnerabilities. Security Engineers are expected to do so using multiple methods and tools including but not limited to manual penetration testing, outputs from automated security scanning tools including Software Composition Analysis, Static Application Security Testing, Dynamic Application Security Testing, and the findings from third-party application penetration tests.

Security Engineers also work with the Security Operations and Infrastructure teams to deploy and maintain security tools within the Hinge Health environment and assist in the tuning of these tools. Security Engineers may also advise or implement the proper security controls on cloud platforms as required to meet security and compliance standards.

Security Engineers will be part of the incident response team as subject matter experts as needed. They may also be called upon as subject matter experts to assist other teams with third party security assessment requests.

Description Of An Ideal Candidate

The ideal candidate will have experience securing, hardening, and identifying vulnerabilities in web applications, RESTful APIs, and mobile applications (iOS and Android) in a cloud hosted microservice environment. We are looking for an individual who can take a risk-based approach to prioritizing the various aspects of a successful product security program. They should be ready to independently jump in to ask questions and understand the environment and identify potential issues while balancing their findings based on risk and company priorities.

The ideal candidate will also have experience implementing and interpreting the results of automated security scans using SCA, SAST and DAST tools and in performing security assessments and penetration tests of web applications and API endpoints and mobile applications They will also have experience assessing the security of cloud(IaaS) infrastructure, ideally including interpreting automated static scans of Infrastructure as Code source.

They should be enthusiastic about working to help improve all aspects of the Software Development Life Cycle and working with product managers to create a secure and delightful experience for Hinge Health customers.

What You’ll Accomplish

• Implement automated security scanning tools and perform manual security assessments including source code review to harden Hinge Health web applications and API microservices.
• Enable the product teams to create secure by design product features and services by working alongside product managers and engineers during the design phase of projects.
• Coordinate third party security assessments and penetration tests of Hinge Health web applications, API endpoints, and mobile applications, including interpretation of results and verification of remediations.
• Contribute to the improvement of Software Development Life Cycle management policies, procedures, and standards.

What We’re Looking For

• Automated Security Testing: Ability to configure and automate security scans as part of the CI/CD process, interpret the results and work directly with engineers on prioritization and remediation.
• Secure Coding Practices: Ability to examine source code in multiple languages to evaluate controls. Be able to identify common coding and design vulnerabilities. Deep understanding of OWASP Top 10 and other common security flaws.
• Communication: Ability to partner with engineers and product managers to implement security by design.
• Judgment: Ability to assess the risk of vulnerabilities, tradeoffs in designs, etc. to categorize and prioritize remediation work.
• Incident Handling: Be able to work as a subject matter expert in the security controls, internal communications, and infrastructure of Hinge Health applications during security incidents.
• Proactive: Enjoys proactively, asking questions and examining systems and processes for possible flaws and reaching out to relevant teams to identify and verify vulnerabilities that may not have been found by automated scanning and schedule manual reviews.

BONUS POINTS

• Experience securing applications in Health Care, securing ePHI and HIPAA/HITECH regulations.
• Familiarity with HITRUST CSF and NIST control frameworks.
• Experience in Threat Modeling
• Experience performing security assessments and secure design of hardware and firmware of medical devices communicating over Bluetooth
• Experience with any of the following, deploying web based services on AWS infrastructure, Kubernetes, Typescript, ReactNative, Ruby on Rails, GraphQL, IaC using Terraform.

What You’ll Love About Us

• Inclusive healthcare and benefits: On top of comprehensive medical, dental, and vision coverage, we offer help with gender-affirming care, tools for family and fertility planning, and travel reimbursements if healthcare isn’t available where you live
• Modern life stipends: Manage your own learning and development budget and use the mental health and lifestyle stipends to cover your favorite wellness services, workout classes, gym subscriptions, and work-from-home equipment
• Flexible vacation and paid time off: Full-time employees have full flexibility to choose when, how, and why they take time off to rest and recharge

The range of base salary for the position is between $133,800 – $242,900, plus equity, and benefits. Please note that the base salary range is a guideline, and individual total compensation will vary based on factors such as qualifications, skill level, competencies and work location.

About Hinge Health

LinkedIn recently named Hinge Health one of the Top 50 Startups. Forbes, Fast Company, and Inc. have also recognized our technology, innovation, and culture.

Since our founding in 2014, we’ve raised more than $800 million from leading investors, including Coatue and Tiger Global. Today, Hinge Health is the leading Digital MSK Clinic, used by 4 in 5 employers and nearly 90% of health plans with a digital MSK solution. We work with 900+ customers across every industry and the public sector — including Salesforce, Verizon, and the State of New Jersey — to give more than 20 million people access to the care they need. We’re positioned to continue leading the market with unmatched investments in clinical research, care innovation, machine learning, AI, and computer vision.

Diversity And Inclusion

We’re committed to building diverse teams that reflect the communities we serve. Visit hingehealth.com/diversity-equity-and-inclusion to learn more about what moves us.

Hinge Health is an equal opportunity employer and prohibits discrimination and harassment of any kind. We make employment decisions without regards to race, color, religion, sex, sexual orientation, gender identity, national origin, age, veteran status, disability status, pregnancy, or any other basis protected by federal, state or local law. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements.

We provide reasonable accommodations for candidates with disabilities. If you feel you need assistance or an accommodation due to a disability, let us know by reaching out to your recruiter.

If you’re interested – we’d love to hear from you.