Staff Application Security Engineer

August 3

Apply Now

Receive Emails with Similar Jobs

hims & hers

WebsiteLinkedInAll Job Openings

Healthcare Insurance • eCommerce • Wellness

Hims & Hers is an online platform with over 1 million subscribers that connects patients to licensed healthcare professionals across all 50 states in the U. S. The service offers comprehensive support for sexual health, weight loss, hair regrowth, mental health, and skincare through a 100% online process. Clients can receive personalized treatment plans which may include prescription medications, and benefit from free and discreet shipping. Hims & Hers prides itself on providing accessible and affordable healthcare without the need for insurance, offering transparent pricing and support from licensed providers. It aims to empower individuals by making healthcare and treatment conveniently available on their own terms, including mental health support, which includes treatments for anxiety and depression.

201 - 500 employees

Founded 2017

⚕️ Healthcare Insurance

🛍️ eCommerce

🧘 Wellness

📋 Description

• As a Staff Application Security Engineer, you will be a thought leader as part of the Security Team focused on helping design, implement, and mature innovative and cutting-edge security capabilities. • The Staff Security Engineer champions secure by design and defense in-depth principles into our initiatives, provides hands-on technical leadership for security domains, assists with defining vision and execution of strategy aligning to business needs and is expected to help solve a wide range of security challenges. • The Security Architecture is part of a highly collaborative security program and an engineering culture-driven technology organization. • Drive full-stack AppSec across web, mobile, and cloud: integrate SCA, SAST, DAST, and secret-scanning into CI/CD pipelines (Jenkins, CircleCI, GitHub Actions) and IaC workflows (Terraform), covering Node.js/React back-ends and React Native/Kotlin mobile clients. • Lead AI/Model Security: define and enforce security practices around private model hosting platforms (e.g., AWS model services) ensuring safe deployment and monitoring of in-house and third-party models. • Own API security: design and implement robust protections for REST and GraphQL endpoints, including schema validation, rate limiting, and automated vulnerability scanning. • Drive vulnerability management: design and tune scan configurations, interpret results, partner with developers to remediate findings, and maintain dashboards to track trends and SLAs. • Drive offensive security programs: perform threat modeling, internal pentests, and red-team exercises; produce detailed reports, track remediation workflows, and continuously improve tactics. • Lead CIAM & IAM: architect and audit customer identity and access management solutions (e.g., Auth0 or similar), integrate bot and fraud defenses (e.g., reCAPTCHA), and ensure least-privilege access throughout our user-facing and internal systems. • Develop policy & guidance: author secure-coding standards, CI/CD security playbooks, secret-management procedures, and comprehensive AppSec/ProductSec documentation to ensure repeatable, compliant practices. • Mentor & evangelize: conduct secure code reviews, deliver workshops, and cultivate a security-first mindset across engineering teams.

🎯 Requirements

• 12+ years in security engineering, including at least 5 years focused on Application Security at a senior or staff level. • Deep familiarity with modern web and mobile stacks (Node.js, React/React Native, Kotlin, npm) and Git-centric workflows. • Hands-on experience with SCA, SAST, DAST, and secret-scanning solutions (e.g., Tenable, Snyk, Oligo, CrowdStrike, GitHub Advanced Security). • Proven ability to automate security checks within Jenkins, CircleCI, and GitHub Actions pipelines, and to codify controls in Terraform. • Strong coding/scripting skills (JavaScript/TypeScript, Python, or Go) and experience building custom security automation. • Thorough understanding of the vulnerability lifecycle: triage, remediation, reporting, and trend analysis. • Experience securing workloads in AWS and building cloud-native guardrails. • Demonstrated background securing private AI/ML model deployments. • Expertise in API security, specifically GraphQL, and implementing protections like schema validation and rate limiting. • Hands-on experience architecting CIAM/IAM solutions (e.g., Auth0 or equivalent) and integrating bot-detection tools (e.g., reCAPTCHA). • Experience in healthcare or other highly regulated environments. • Excellent leadership, collaboration, and communication skills for high-visibility, cross-functional initiatives.

🏖️ Benefits

• Competitive salary & equity compensation for full-time roles • Unlimited PTO, company holidays, and quarterly mental health days • Comprehensive health benefits including medical, dental & vision, and parental leave • Employee Stock Purchase Program (ESPP) • 401k benefits with employer matching contribution • Offsite team retreats