What You’ll Be Doing

• Responsible for conducting and coordinating penetration testing and red teaming activities, researching and analyzing vulnerabilities, identifying relevant threats, developing corrective action recommendations, and summarizing and reporting results.
• Develop and refine methodologies to conduct Red Team operations successfully and consistently covering all areas of technology.
• Design and develop scripts, frameworks, tools, and the methods required for facilitating and executing complex scenarios, emulating malicious actor behavior aimed at avoiding detection.
• Perform manual penetration testing of web applications, APIs, and internal and external networks.
• Coordinate external penetration and web application scanning activities.
• Document in detail the results of assessments, audits, tests, and verification activities.
• Perform manual validation of vulnerabilities.
• Defining, maintaining, and implementing application security best practices to meet HITRUST and other security requirements.
• Providing guidance to Engineering teams during design reviews, including threat modeling.
• Develop and maintain the Information Security team’s threat models/profiles.
• Coordinate and facilitate tabletop exercises.
• Evaluating the impact on the organization of current security advisories, publications, and trends.
• In partnership with the Security Architect, review web applications, source code, operating systems, and network security architectures to identify vulnerabilities and define effective strategies for remediation and hardening.
• Explaining and demonstrating vulnerabilities/findings to product stakeholders, providing remediation steps, and designing solution prototypes and/or implementing security enhancements.
• Participating in building and maturing security capabilities and operations.
• Participating as a key member of the Incident Response team and serve as a web application and network security SME focused on determining impact, root cause, and resolution associated when needed.
• Identifying, vetting, and coordinating third-party vendors in meeting third-party application security testing requirements.

What You’ll Bring

• A passion for security and an attacker mindset.
• 3+ years of proven code review and penetration testing experience in both web applications and infrastructure; finding vulnerabilities and defining effective strategies for remediation and hardening.
• Experience testing and securing infrastructure on cloud providers such as AWS/Azure.
• Applied Secure SDLC knowledge.
• Experience with static and dynamic code analysis.
• Strong scripting and development skills in languages such as Java, JavaScript, Ruby, Python, etc.
• Security certifications such as OSCP, OSCE, OSAP, eCPPTv2, PNPT.
• Ability to write formal assessment reports and to explain vulnerabilities to different stakeholders.
• Knowledge and understanding of attack surfaces for enterprise systems and services.
• Solid understanding of TCP/UDP ports and protocols and web requests including POST, GET, HTTP headers, user agents, request parameters, cookies, etc.
• Solid understanding of the OAuth 2.0 authorization flow, JWT, and how to identify and exploit common vulnerabilities in web-based applications and network environments.
• Self-starter with the ability to work independently, interface with multiple teams, and willingness to overcome challenging problems while identifying opportunities for improvement.

Would Love For You To Have

• Experience threat modeling SaaS products, cloud infrastructure, RESTful microservices, etc.
• Significant hands-on penetration testing experience and offensive capabilities in numerous core competency areas including web applications, mobile applications, cloud infrastructure, etc.
• Experience with a variety of open-source and commercial testing tools in areas such as web interception proxies, packet capture, debugging, and API interaction.
• Understanding of hashing, encryption, and hash cracking technology.
• Experience developing exploits and adding functionality to open-source tools.
• Applied security research, cryptography, reverse engineering, and fuzzing experience.
• Additional certifications such as OSWE, GPEN, GXPN, CREST, OSEP, CRTO, or BSCP will be very desirable.
• Experience in vulnerability management within containerized environments.
• Strong SaaS and cloud security skills, with a focus on AWS.
• Understanding of common Microsoft Active Directory/Azure AD environment security and related vulnerabilities.
• AWS Certified Solutions Architect, AWS Certified Security Specialist or similar certifications preferred, CCSP or CISSP.  

What You’ll Get

• You will work with a team of experts in building and maintaining a highly validated security and privacy program for the leader in Population Health and Healthcare data.
• Be a part of a team and organization that has built security and privacy into the fabric and culture of the organization.
• Your responsibilities will grow with you as a critical member of our team.
• Be a part of a mission-driven company that is transforming the healthcare industry by changing the way patients receive care.
• The opportunity to work for an amazing, fast-growing software company leveraging a highly scalable cloud platform.
• Become an expert in all elements of securing clinical and claims healthcare data in the cloud.
• A flexible, remote-friendly company with personality and heart.
• Employee-driven programs and initiatives for personal and professional development.
• Awesome work environment.
• Competitive compensation/benefits package.
• Great benefits like flextime time off.