Staff Application Security Engineer

Hims & Hers is the leading health and wellness platform, on a mission to help the world feel great through the power of better health. We are redefining healthcare by putting the customer first and delivering access to care that is affordable, accessible, and personal, from diagnosis to treatment to delivery. No two people are the same, so we provide access to personalized care designed for results. By normalizing health & wellness challenges and innovating on their solutions, we’re making better health outcomes easier to achieve. 

Hims & Hers is a public company, traded on the NYSE under the ticker symbol “HIMS.” To learn more about the brand and offerings, you can visit hims.com/about and hims.com/how-it-works . For information on the company’s outstanding benefits, culture, and its talent-first flexible/remote work approach, see below and visit www.hims.com/careers-professionals.

About the Role:

As a Staff Application Security Engineer, you will be a thought leader as part of the Security Team focused on helping design, implement, and mature innovative and cutting-edge security capabilities. The Staff Security Engineer champions secure by design and defense in-depth principles into our initiatives, provides hands-on technical leadership for security domains, assists with defining vision and execution of strategy aligning to business needs and is expected to help solve a wide range of security challenges. The Security Architecture is part of a highly collaborative security program and an engineering culture-driven technology organization.

You Will:

• Drive full-stack AppSec across web, mobile, and cloud: integrate SCA, SAST, DAST, and secret-scanning into CI/CD pipelines (Jenkins, CircleCI, GitHub Actions) and IaC workflows (Terraform), covering Node.js/React back-ends and React Native/Kotlin mobile clients.

• Lead AI/Model Security: define and enforce security practices around private model hosting platforms (e.g., AWS model services) ensuring safe deployment and monitoring of in-house and third-party models.

• Own API security: design and implement robust protections for REST and GraphQL endpoints, including schema validation, rate limiting, and automated vulnerability scanning.

• Drive vulnerability management: design and tune scan configurations, interpret results, partner with developers to remediate findings, and maintain dashboards to track trends and SLAs.

• Drive offensive security programs: perform threat modeling, internal pentests, and red-team exercises; produce detailed reports, track remediation workflows, and continuously improve tactics.

• Lead CIAM & IAM: architect and audit customer identity and access management solutions (e.g., Auth0 or similar), integrate bot and fraud defenses (e.g., reCAPTCHA), and ensure least-privilege access throughout our user-facing and internal systems.

• Develop policy & guidance: author secure-coding standards, CI/CD security playbooks, secret-management procedures, and comprehensive AppSec/ProductSec documentation to ensure repeatable, compliant practices.

• Mentor & evangelize: conduct secure code reviews, deliver workshops, and cultivate a security-first mindset across engineering teams.

You Have:

• 12+ years in software engineering, including at least 5 years focused on Application Security at a senior or staff level.Deep familiarity with modern web and mobile stacks (Node.js, React/React Native, Kotlin, npm) and Git-centric workflows.

• Hands-on experience with SCA, SAST, DAST, and secret-scanning solutions (e.g., Tenable, Snyk, Oligo, CrowdStrike, GitHub Advanced Security).

• Proven ability to automate security checks within Jenkins, CircleCI, and GitHub Actions pipelines, and to codify controls in Terraform.

• Strong coding/scripting skills (JavaScript/TypeScript, Python, or Go) and experience building custom security automation.

• Thorough understanding of the vulnerability lifecycle: triage, remediation, reporting, and trend analysis.

• Experience securing workloads in AWS and building cloud-native guardrails.

• Demonstrated background securing private AI/ML model deployments..

• Expertise in API security, specifically GraphQL, and implementing protections like schema validation and rate limiting.

• Hands-on experience architecting CIAM/IAM solutions (e.g., Auth0 or equivalent) and integrating bot-detection tools (e.g., reCAPTCHA).

• Experience in healthcare or other highly regulated environments.

• Excellent leadership, collaboration, and communication skills for high-visibility, cross-functional initiatives.

Preferred Experience & Skills:

• Prior staff-level or lead role in AppSec, Product Security, or DevSecOps organizations.

• Experience standing up or managing a red team and conducting adversary simulation exercises.

• Knowledge of AI/ML security principles and securing machine-learning pipelines.

• Recognized security certifications—for example, CISSP, GIAC GWAPT, OSWE, LPT.

• Contributions to open-source security tools or thought leadership (talks, blog posts,

  publications).

• Advanced degree in Computer Science, Security, or related field.

Our Benefits (there are more but here are some highlights):

• Competitive salary & equity compensation for full-time roles

• Unlimited PTO, company holidays, and quarterly mental health days

• Comprehensive health benefits including medical, dental & vision, and parental leave

• Employee Stock Purchase Program (ESPP)

• 401k benefits with employer matching contribution

• Offsite team retreats

We are committed to building a workforce that reflects diverse perspectives and prioritizes ethics, wellness, and a strong sense of belonging. If you're excited about this role, we encourage you to apply—even if you're not sure if your background or experience is a perfect match.

Hims considers all qualified applicants for employment, including applicants with arrest or conviction records, in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, the California Fair Chance Act, and any similar state or local fair chance laws.

It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.

Hims & Hers is committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures. If you need assistance or an accommodation due to a disability, please contact us at [email protected] and describe the needed accommodation. Your privacy is important to us, and any information you share will only be used for the legitimate purpose of considering your request for accommodation. Hims & Hers gives consideration to all qualified applicants without regard to any protected status, including disability. Please do not send resumes to this email address.

To learn more about how we collect, use, retain, and disclose Personal Information, please visit our Global Candidate Privacy Statement.