Principal Application Security Engineer

Join us as we work to create a thriving ecosystem that delivers accessible, high-quality, and sustainable healthcare for all.

athenahealth is changing the way the healthcare industry works. With our best in breed suite of cloud software products, we've taken healthcare into the modern age empowering medical care providers to get back to what they do best-- treating patients. athena's culture is idealistic, entrepreneurial, and extremely fast paced; a sharp contrast to the culture typically found in medical offices or healthcare service companies. We aspire to be a diverse team of change agents driven by an entrepreneurial spirit, a passion for excellence and a desire to make the administrative processes in healthcare delivery run much better.
 

Help make health information more secure! Information Security department at athenahealth is looking for a Principal Application Security Engineer to help increase the security capabilities of our teams.  Join a collaborative group that solves new and interesting application security problems at scale. With over 100 million patient records, athenahealth faces unique challenges that can only be solved by curious and driven people. Use your security, engineering, and communication skills to make a difference with the company that allows medical professionals to focus on what they do best - treat patients.

Position Summary:

As a Principal Security Engineer, you will work closely with scrum teams, product managers, and engineering leadership to improve the quality and adoption of athena’s Secure Deverlopment Lpractices. This will include but is not restricted to automated testing via static and dynamic code analysis tools; threat modeling exercises; architecture review; and training in secure coding techniques. The primary goal is to prevent vulnerabilities from being introduced into the product features during the development lifecycle. Your skills will be relied on to provide platform and product teams with security expertise to increasingly secure our products via coaching, consulting and guidance.

Responsibilities may include, but are not limited to:

• Drive execution of key security best practices across the R&D organization. Explain and ensure correct use of security concepts such as authentication and authorization concepts, correct use of secrets and data storage methods.
• Lead prioritization of code review and security testing tools findings prioritization
• Contribute to enterprise security catalog of best practices, techniques and patterns to enable secure implementation of features in products/product families
• Instruct R&D engineers on latest security risks to build a growing awareness that can be used during the design and architectural phase
• Identify and explain feature level design or architectural weaknesses which could result in security issues
• Work with key stakeholders including enterprise security leadership to track open issues and follow up to resolution
• Experience working with datasets and data warehouses to collect, report and present operational data related to security vulnerabilities remediation and exception handling 
• Work with key stakeholders like DevOps, infrastructure teams, et al to build security hardened tech stacks that are used to develop, build and release code
• Document, share and help automate coverage for common abuse cases and attack personas.

Education, Experience, and Skills Required:

• Bachelor's degree in Computer Science, Computer Engineering, Cyber Security or equivalent experience
• At least 10 years experience as a software developer and 2-4 years in a security-focused development role in an agile development environment
• Experience in software and product design, product security, security issue prevention and mitigation strategies
• Experience in understanding and resolving security issues, preferably in a healthcare context
• Strong knowledge of programming languages - Java, JavaScript (NodeJS), Perl, Python, Groovy etc
• Knowledge of key security technologies like OAuth, SAML, etc.
• Understanding of the web services domain including RESTful services, Service Bus architectures, JSON etc
• Experience with Static and Dynamic Code Analysis tools like Zap, VeraCode, Checkmarx, AppSpider, HP Fortify, HP WebInspect, IBM AppScan and other tools
• 2-5 years of experience working with OWASP, SANS Standards or OSSTMM and experience with Commercial Off The Shelf (COTS) security products in DevOps environment

Preferred Qualifications:

• Current knowledge of HIPAA, HITRUST, PCI-DSS requirements
• Experience analyzing software features, systems and infrastructure to build threat models
• 2-5 years of experience of assessing threats, risk, and vulnerabilities, while working with internal/external pen testing teams
• Familiarity with coaching security thinking for teams’ agile definition of done
• Experience with working with private and public cloud technologies including AWS, Azure, etc
• Experience driving the adoption of Security Standards in a large engineering organization
• Experience in measuring and metrics for a secure development lifecycle program including BSIMM, OpenSAMM, SAFECode

Behaviors & Abilities Required:

• Ability to define and execute work independently
• Capability to lead or contribute to teams as necessary
• Exercise influence without authority
• Initiative to continuously learn about security and systems
• Being plugged into the evolving threat landscape
• Staying current on latest attack vectors
• Desire to have fun and grow professionally at work

 
athenahealth is committed to a policy of equal employment opportunity. We recruit and hire applicants without regard to race, color, religion, sex (including pregnancy), national origin, disability, age, sexual orientation, veteran status, genetic information, gender identity, gender expression, or any other factor prohibited by law.

https://www.athenahealth.com/careers/equal-opportunity