Verana Health  partners with leading medical associations to transform clinical data into actionable real-world evidence. These partnerships enable Verana to harness the comprehensive data found in qualified clinical data registries and other specialty data sources to accelerate medical research and enhance patient care. Verana raised $100 million from investors including GV, formerly Google Ventures, and Bain Capital Ventures, showing a continued thirst for new data-driven approaches to treating disease.

Our team is reinventing how medical research happens with data and technology. This is a company built by and for people who are looking to get out of their comfort zone and try new things, who want to learn and grow quickly, and who seek to be part of a mission-driven team committed to improving patient lives. Our headquarters are located in San Francisco and we have additional offices in Knoxville, TN and New York City with employees working remotely in AZ, CA, FL, GA, IL, MA, NC, NJ, NY, OR, PA, TN, TX, VA, WA, and WI.  All employees are required to have permanent residency in one of these states. Candidates who are willing to relocate are also encouraged to apply.

Verana Health is seeking a Senior AppSec Engineer for a technical hands-on role that will involve evaluating and enforcing application security in all phases of the Software Development Life Cycle. This position will work closely with our development teams, Information Security, Privacy and DevSecOps team to define and implement the application security standards, perform software architecture design reviews and threat modeling, conduct security testing and support the identification, interpretation, and remediation of vulnerabilities across a variety of applications, programming languages and platforms.

Job Duties and Responsibilities:

Primary Responsibilities:

• Lead and coordinate various aspects of software design and development best practice implementations.
• Be a liaison to the application development team, reviewing all policies around application development and bringing implementation level recommendations.
• Lead architecture design reviews with development and product management to incorporate effective threat modeling and security standards and tools into product design and development.
• Participate in strategic activities as a proponent of security objectives and ensure their consideration in product and operational planning across all teams.
• Educate team members and all engineers on application secure coding standards and best practices, establish regular educational activities, recommend and attend appropriate training.
• Explain and demonstrate vulnerabilities to application and system owners and provide recommendation for mitigation thus uplifting the vulnerability management program.

Desired Skills:

• Bachelor's degree in an Information Technology related field of study or equivalent experience.
• Certification in Application development security is preferred.
• 5+ years of combined experience in an application security and/or software engineering role is required.    
• Knowledge of information security principles, web applications and a level of familiarity with malicious code and common techniques used by hackers.
• Knowledge of AWS or other cloud-based infrastructure architecture, services and security.
• Knowledge of microservices architectures.
• Solid understanding of the HTTP protocol.
• Can understand and read manual source code reviews such as .NET, React.js, Java, (including Spring Boot), etc.
• Thorough understanding of SDLC as well as software security maturity models like Building Security in Maturity Model, BSIMM and/or OWASP Software Assurance Maturity Model.
• Experience conducting secure code development training.
• Experience using Agile software development and project management.
• Experience with common SDLC tools: static and dynamic code analysis, open source management, threat modeling, etc.
• Knowledge of CI/CD pipelines for application code, infrastructure.
• Knowledge of cryptographic tools or security APIs is a plus.
• Excellent problem solving and analytical skills; outstanding oral and written communication skills.
• Self motivation and the ability to work under minimal supervision.
• Strong knowledge of network and web application exploitation, ethical hacking, penetration testing, computer forensics and tool development.
• Thorough understanding and knowledge of OWASP top 10.

Additional Skills:

• Excellent writing and verbal communication skills
• Experience with cloud security concepts
• Experience with data protection and data classification on Cloud
• Knowledge of cloud resiliency processes and tools
• Strong understanding of Segregation of Duties (SOD) frameworks, sensitive access management and enabling integration with privileged access management
• Knowledge of cloud governance and audit procedures
• Knowledge of DevSecOps and Cloud automation

Verana Health values our employees well-being and happiness. We provide fully covered health, vision and dental for employees, Flexible vacation plans, learning and development allowances, a generous parental leave policy, 401K and commuter benefits.

#LI-MW1

#BI-Remote