Your Impact on our Mission:

Zocdoc’s most important asset is our people. Join Zocdoc as a Principal Application Security Engineer to help provide better care to patients and build a better health care experience! As a Principal Application Security Engineer you’ll play a critical role in keeping patients and healthcare providers safe and work closely on cutting edge technology. You’ll define our application security strategy and partner with security-friendly product and technology teams to incorporate security into the application development lifecycle. This is a great opportunity to anchor a growing team, work with top notch Technology and Compliance teams, and apply your hard earned skills for a great mission and impact.

You’ll enjoy this role if you are…

• Deeply passionate about security best practices, software development, and mastering new technology
• Excited to partner with software engineers on tech designs and code reviews with an eye for improving security
• Experienced giving risk and technical advice on building web applications that result in hardened services that still allow for a great user experience
• Not afraid of driving infosec initiatives on your own or being a leader on bigger projects
• Organized, and can manage multiple threads working with our Infosec, Compliance, Infrastructure, and Product teams
• Motivated by building secure products that make healthcare more accessible and safer for patients

Your day to day is…

• Assessing Zocdoc’s application threat landscape through architecture reviews, code analysis, threat modeling, and data investigations
• Reviewing changes to our production environments and helping engineers design and build more secure products
• Closely partnering with our infosec and compliance teams to create long lasting processes and security controls with industry best practices
• Evaluating and operationalizing security and threat scanning tools by integrating with our development environments and build pipelines
• Prioritizing and reporting the outcomes of vulnerability scans and penetration testing, and proposing appropriate remediation or mitigation controls
• Engaging with vendors who support our application security efforts, including researching new vendor solutions, managing vendor performance during projects, and ensuring work product from our suppliers is reviewed and incorporated into our workflow (e.g. pentesting results are ticketed for follow-up)
• Helping with HITRUST and SOC audits by coordinating with other teams, implementing controls, and gathering evidence

You’ll be successful in this role if you have…

• Experience securing and building web and mobile based B2C and/or B2B software products
• Managed vulnerability detection and resolution processes, with experience with automated code analysis tools and reporting out to a larger technology team
• Worked with development teams to provide specific recommendations on how to fix and prioritize vulnerabilities and are subject matter expert on secure design, common vulnerabilities and attack vectors (e.g. OWASP, SANS), and secure coding practices
• A fundamental understanding of security frameworks like NIST CSF
• Experience working with AWS or other cloud environments
• Proficiency with at least one (1) common programming languages such as C#, Scala, Java, Python, Javascript, etc. and practiced code reviewer
• Strong investigative skills, including expertise of SQL to conduct analysis
• 8+ years of total engineering experience, with 4+ years in a Security Engineering role.
• CISSP and OSCP are bonus

Benefits:

• Unlimited PTO
• 100% paid employee health benefit options
• Employer funded 401(k) match
• L&D offerings + a free LinkedIn learning account
• Corporate wellness programs with Headspace and Peloton
• Sabbatical leave (for employees with 5+ years of service)
• Competitive parental leave
• Cell phone reimbursement