Principal Application Security Engineer
Healthcare should work for patients, but it doesn’t. In their time of need, they call down outdated insurance directories. Then wait on hold. Then wait weeks for the privilege of a visit. Then wait in a room solely designed for waiting. Then wait for a surprise bill. In any other consumer industry, the companies delivering such a poor customer experience would not survive. But in healthcare, patients lack market power. Which means they are expected to accept the unacceptable.
Zocdoc’s mission is to give power to the patient. To do that, we’ve built the leading healthcare marketplace that makes it easy to find and book in-person or virtual care in all 50 states, across +200 specialties and +12k insurance plans. By giving patients the ability to see and choose, we give them power. In doing so, we can make healthcare work like every other consumer sector, where businesses compete for customers, not the other way around. In time, this will drive quality up and prices down.
We’re 15 years old and the leader in our space, but we are still just getting started. If you like solving important, complex problems alongside deeply thoughtful, driven, and collaborative teammates, read on.
Your Impact on our Mission:
Zocdoc’s most important asset is our people. Join Zocdoc as a Principal Application Security Engineer to help provide better care to patients and build a better health care experience! As a Principal Application Security Engineer you’ll play a critical role in keeping patients and healthcare providers safe and work closely on cutting edge technology. You’ll define our application security strategy and partner with security-friendly product and technology teams to incorporate security into the application development lifecycle. This is a great opportunity to anchor a growing team, work with top notch Technology and Compliance teams, and apply your hard earned skills for a great mission and impact.
You’ll enjoy this role if you are…
- Deeply passionate about security best practices, software development, and mastering new technology
- Excited to partner with software engineers on tech designs and code reviews with an eye for improving security
- Experienced giving risk and technical advice on building web applications that result in hardened services that still allow for a great user experience
- Not afraid of driving infosec initiatives on your own or being a leader on bigger projects
- Organized, and can manage multiple threads working with our Infosec, Compliance, Infrastructure, and Product teams
- Motivated by building secure products that make healthcare more accessible and safer for patients
Your day to day is…
- Assessing Zocdoc’s application threat landscape through architecture reviews, code analysis, threat modeling, and data investigations
- Reviewing changes to our production environments and helping engineers design and build more secure products
- Closely partnering with our infosec and compliance teams to create long lasting processes and security controls with industry best practices
- Evaluating and operationalizing security and threat scanning tools by integrating with our development environments and build pipelines
- Prioritizing and reporting the outcomes of vulnerability scans and penetration testing, and proposing appropriate remediation or mitigation controls
- Engaging with vendors who support our application security efforts, including researching new vendor solutions, managing vendor performance during projects, and ensuring work product from our suppliers is reviewed and incorporated into our workflow (e.g. pentesting results are ticketed for follow-up)
- Helping with HITRUST and SOC audits by coordinating with other teams, implementing controls, and gathering evidence
You’ll be successful in this role if you have…
- Experience securing and building web and mobile based B2C and/or B2B software products
- Managed vulnerability detection and resolution processes, with experience with automated code analysis tools and reporting out to a larger technology team
- Worked with development teams to provide specific recommendations on how to fix and prioritize vulnerabilities and are subject matter expert on secure design, common vulnerabilities and attack vectors (e.g. OWASP, SANS), and secure coding practices
- A fundamental understanding of security frameworks like NIST CSF
- Experience working with AWS or other cloud environments
- Strong investigative skills, including expertise of SQL to conduct analysis
- 8+ years of total engineering experience, with 4+ years in a Security Engineering role.
- CISSP and OSCP are bonus
- Flexible, hybrid work environment
- Unlimited PTO
- 100% paid employee health benefit options
- Employer funded 401(k) match
- L&D offerings + a free LinkedIn learning account
- Corporate wellness programs with Headspace and Peloton
- Sabbatical leave (for employees with 5+ years of service)
- Competitive parental leave
- Cell phone reimbursement
- In office perks including:
- Catered lunch everyday along with snacks
- Commuter Benefits
- Convenient Soho location
Zocdoc is the country’s leading digital health marketplace that helps patients easily find and book the care they need. Each month, millions of patients use our free service to find nearby, in-network providers, compare choices based on verified patient reviews, and instantly book in-person or video visits online. Providers participate in Zocdoc’s Marketplace to reach new patients to grow their practice, fill their last-minute openings, and deliver a better healthcare experience. Founded in 2007 with a mission to give power to the patient, our work each day in pursuit of that mission is guided by our six core values. Zocdoc is a private company backed by some of the world’s leading investors, and we believe we’re still only scratching the surface of what we plan to accomplish.
Zocdoc is a mission-driven organization dedicated to building teams as diverse as the patients and providers we aim to serve. In the spirit of one of our core values - Together, Not Alone, we are a company that prides itself on being highly collaborative, and we believe that diverse perspectives, experiences and contributors make our community and our platform better. We’re an equal opportunity employer committed to providing employees with a work environment free of discrimination and harassment. Applicants are considered for employment regardless of race, color, ethnicity, ancestry, religion, national origin, gender, sex, gender identity, gender expression, sexual orientation, age, citizenship, marital or parental status, disability, veteran status, or any other class protected by applicable laws.
Job Applicant Privacy Notice