The position.

The engineering team at Root strives to be one of the most transformative engineering teams ever. We’re changing the way an industry works by leveraging technology and data to build the best products possible. Even with our significant growth, we operate in small teams that are given ownership over projects and results. We’ve found that the people closest to the problems are the best at solving them. We’re actively hiring Engineers remotely and excited to announce that Root is a “work where it works best” company. Meaning we will support you working in whatever location that works best for you across the US. We will continue to have our headquarters in Columbus and offices in other locations to give more flexibility and more choice about how we live and work.
Root’s Information Security team is dedicated to managing information security risk within the organization, while enabling development and product teams to do their cutting-edge work, and we’re looking for an experienced Application Security Engineer to join us. In this role, you’ll be a key contributor to how Root implements DevSecOps, and be able to influence our approach and ensure what we deliver to our customer is as secure as possible.
What you’ll achieve.

• Deliver secure, high-quality features by working closely with Product and Engineering teams
• Coordinate and drive remediation of identified vulnerabilities and control deficiencies
• Integrate security test automation and tooling within CI/CD pipelines
• Coach engineers on how to find and fix security bugs, and provide guidance to developers around secure coding techniques and methods
• Perform design and code reviews to identify risk and assist developers in improving overall product security
• Work across teams to tackle complex security issues

What we’re looking for.

• Deep understanding of common web and application architectures and technologies, and relevant security concepts
• Experience with several programming paradigms and at least one common programming language/environment
• Experience evaluating and securing web and mobile applications against common security issues (including OWASP Top 10)
• An understanding of cloud environments and providers, as well as implementations of application security concepts within them
• Solid knowledge of continuous integration pipelines and automating security feedback
• Experience maturing a Secure Software Development Lifecycle using DevSecOps approaches
• An understanding of how to take business goals into account when making technical decisions, and communicating application security and other technical concepts to non-technical stakeholders