Senior Application Security Engineer

About the position

Heartflow is a medical technology company advancing the diagnosis and management of coronary artery disease, the #1 cause of death worldwide, using cutting-edge technology. The flagship product—an AI-driven, non-invasive cardiac test supported by the ACC/AHA Chest Pain Guidelines called the Heartflow FFRCT Analysis—provides a color-coded, 3D model of a patient’s coronary arteries indicating the impact blockages have on blood flow to the heart. Heartflow is the first AI-driven non-invasive integrated heart care solution across the CCTA pathway that helps clinicians identify stenoses in the coronary arteries (RoadMap™Analysis), assess coronary blood flow (FFRCT Analysis), and characterize and quantify coronary atherosclerosis (Plaque Analysis). Our pipeline of products is growing and so is our team; join us in helping to revolutionize precision heartcare. Heartflow is a VC-backed company that has received international recognition for exceptional strides in healthcare innovation, is supported by medical societies around the world, cleared for use in the US, UK, Europe, Japan and Canada, and has been used for more than 400,000 patients worldwide. We are looking for a Senior Application Security Engineer to work with our engineering team to ensure security is an integral part of our Software Development Lifecycle (SDLC). In this role, you’ll have the chance to use your security background to protect patients as we build products that leverage AI to improve healthcare. If you enjoying working with talented engineers to solve complex technical challenges and want to want to see your work make a direct difference in patient outcomes, we encourage you to apply.

Responsibilities

• Partner with the engineering team to define secure coding practices, threat model our products and carry out essential parts of a secure SDLC.
• Collaborate with DevOps on identifying and implementing developer tools that support security best practices and identify security risks and vulnerabilities.
• Drive vulnerability identification using SAST, DAST and SCA tooling and manage external penetration testing.
• Support engineering team on vulnerability management, including risk assessment, remediation and improving identification of vulnerabilities.
• Build security awareness through training on secure coding practices, security standards and latest security threats.
• Translate security and privacy compliance requirements into technical requirements and support information security team.

Requirements

• Ability to reason about risk in complex environments and communicate that risk to technical and non-technical audiences.
• Experience leading training, speaking internally/externally about security projects.
• Experience building or improving secure SDLC activities, including threat modeling, code review, security testing and vulnerability management.
• Experience writing and maintaining code in at least one modern programming language and with at least one scripting language (Heartflow uses C++/Python).
• Familiarity with AWS (or equivalent cloud providers) and configuration tools (Terraform, Chef, Ansible).
• Experience with containerization (Docker, Kubernetes) and orchestration (GitHub Actions or similar).
• BS in Computer Science (or related degree) or relevant certifications and equivalent experience.
• 4+ years experience working in Application Security.
• Understanding of—or willingness to learn—compliance, documentation, and quality requirements in medical or similarly regulated fields.

Nice-to-haves

• Current knowledge of HIPAA, HITRUST and the complexities of working in a regulated environment.
• Experience with Software as a Medical Device (SaMD).
• Experience working with or ability to discuss current AI threats for both machine learning and generative AI.

Benefits

• A reasonable estimate of the base salary compensation range is $125,000 to $185,000 per year, cash bonus, and stock options.