Senior Security Engineer
Mach7 Technologies · Burlington, VT · Yesterday
RemoteRemoteHealthcareFull-time
About the role
We're looking for a Senior Security Engineer to lead application security efforts across our product portfolio, spanning web applications, APIs, mobile, embedded software, and shipped product deliverables. You'll be embedded in the engineering organization, partnering with product and platform teams to bake security into every phase of the software development lifecycle, not bolt it on at the end.
Responsibilities
- Own and evolve the AppSec program across the entire SDLC — from design reviews to post-deployment monitoring — for web, API, mobile, and shipped product deliverables
- Build and maintain a living model of the product attack surface — mapping trust boundaries, data flows, exposed interfaces, and high-value targets — and use it to drive prioritization across all security workstreams
- Conduct threat modeling and architecture security reviews for new features, services, and product releases across all delivery channels
- Perform manual and automated secure code reviews across multiple languages (e.g. Python, Go, TypeScript, C/C++)
- Integrate and tune SAST, DAST, and SCA tooling within CI/CD pipelines (GitHub Actions, Jenkins, or equivalent)
- Triage and drive remediation of vulnerabilities surfaced through scanning, bug bounty, and pen tests
- Develop and maintain a library of security standards, patterns, and guardrails applicable across product types
- Own the Software Bill of Materials (SBOM) program — define generation, storage, and consumption processes across all product lines
- Evaluate, on-board, and continuously monitor third-party dependencies and open-source components
- Triage and prioritize CVEs and license risks surfaced through SCA tooling, driving timely remediation with engineering teams
- Define processes for responding to upstream supply chain incidents (e.g. compromised packages, malicious dependencies)
- Collaborate with procurement and legal to assess security risk of third-party vendors and integrations
- Contribute to industry frameworks and internal standards around software supply chain security (SLSA, NIST SSDF, or equivalent)
- Lead security training, lunch-and-learns, and developer education initiatives
- Collaborate with the Platform team on secrets management, identity, and access controls
- Work with the GRC function to translate compliance requirements (SOC 2, ISO 27001) into engineering controls
- Participate in the security on-call rotation and lead security incident response investigations
- Drive root cause analysis and communicate findings clearly to engineering leadership
- Build and maintain metrics and dashboards to track the health of the AppSec program
- Participate as a member of the Cybersecurity council, representing development in the organization. Report weekly on new threat intelligence as it relates to product security, and any actions that are being taken to remediate new findings.
Qualifications
- 5+ years of experience in security engineering, with a strong AppSec focus
- Hands-on experience with threat modeling frameworks (STRIDE, PASTA, or similar)
- Proficiency with common AppSec tooling: Semgrep, Snyk, Burp Suite, OWASP ZAP, or equivalents
- Deep understanding of web application vulnerabilities (OWASP Top 10, API security, auth/authz flaws)
- Ability to read and reason about code in at least two languages; prior development experience a plus
- Experience with software supply chain security — SBOM generation and analysis (CycloneDX, SPDX), SCA tooling, and dependency risk management
- Strong written and verbal communication skills — you can explain risk to both engineers and executives
- Collaborative, proactive, and driven to improve both product security and engineering security culture
- Passionate about continuous learning, emerging threats, and helping teams build secure products at scale