Job Title: Security Engineer
About Us:
On a mission to deliver affordable, delightful healthcare for all, First Stop Health provides connected, whole-person virtual care to employers 24/7 through app, website, or phone in all 50 states. First Stop Health prioritizes an engaging and easy-to-use experience, setting people on healthier journeys through care at multiple stages. We are proud to be recognized as one of Fast Company’s Most Innovative Companies.
First Stop Health offers a comprehensive benefits package that includes various health and medical coverage options, dental and vision coverage, disability and life coverage, making healthcare easily accessible. For those that choose to waive medical coverage a monthly medical waiver allowance will be provided.
First Stop Health offers a remote-first work environment and flexible paid time off, including Summer Fridays. Furthermore, the employer match 401k plan and monthly phone stipend demonstrates the company's commitment to employee financial well-being. The First Stop Health membership benefit is another added perk for employees and provides our virtual care solutions -- Urgent Care, Mental Health, and Primary Care -- from their very first day!
Job Description:
We are seeking a Security Engineer to help design, implement, and maintain security controls and practices across the organization. This role partners closely with Engineering, DevOps, IT, Compliance, and the broader Information Security team to identify risks, strengthen security posture, and support secure business operations.
The ideal candidate has a strong application security background combined with broad security engineering experience across cloud environments, infrastructure, identity and access management, vulnerability management, security operations, and secure software development practices. This individual will help integrate security throughout the organization while balancing risk reduction with business objectives.
Responsibilities:
Application Security and Secure Development
- Lead application security initiatives including architecture reviews, threat modeling, code reviews, and penetration testing coordination
- Integrate security controls and testing into the SDLC and CI/CD pipelines
- Partner with development teams to remediate vulnerabilities and improve secure coding practices
- Champion secure design principles across web, mobile, API, and cloud-native applications
- Support implementation and operation of security testing tools including SAST, DAST, SCA, and secrets detection
Threat Modeling & Risk Assessment
- Perform and facilitate threat modeling exercises with development teams to identify potential attack vectors and prioritize risks
- Conduct risk assessments and provide actionable guidance to reduce application-level security risk
- Communicate risk findings clearly, balancing technical detail with business impact
Security Engineering & Architecture
- Design, implement, and maintain security controls across cloud, infrastructure, applications, and enterprise systems.
- Participate in security architecture reviews and provide recommendations for risk reduction
- Evaluate and implement security technologies that improve organizational security posture
- Support identity and access management initiatives, including authentication, authorization, and privileged access controls
- Assess cloud environments for security risks and recommend remediation strategies
- Support cloud security initiatives including identity management, logging, monitoring, network security, and workload protection
Vulnerability & Risk Management
- Identify, assess, prioritize, and track remediation of security vulnerabilities across applications, cloud environments, endpoints, and infrastructure
- Partner with system owners and engineering teams to ensure timely remediation of identified risks
Security Monitoring & Incident Response
- Assist with security investigations, incident response activities, and post-incident reviews
- Collaborate with security operations personnel to improve detection and response capabilities
Security Testing & Assessments
- Lead application security assessments, including static and dynamic analysis, architecture reviews, and manual testing
- Perform and oversee code reviews to identify security vulnerabilities and design flaws
- Lead and coordinate penetration testing engagements, including scoping, execution, remediation validation, and reporting
Advisory & Enablement
- Serve as a trusted security advisor to internal teams, providing expert guidance on secure design, implementation, and remediation
- Develop and deliver security training and awareness content for developers and technical stakeholders
- Contribute to security documentation, standards, and internal knowledge bases
Threat Intelligence & Continuous Improvement
- Monitor relevant threat intelligence sources related to application and software supply chain risks
- Analyze emerging threats and vulnerabilities and communicate relevant findings to the Information Security team and other stakeholders
- Recommend enhancements to application security controls and practices based on evolving threats and industry trends
Requirements:
- Preferred Bachelor’s degree or equivalent practical experience
- 5-8 years of experience in cybersecurity, information security, cloud security, application security, infrastructure engineering, or related technical disciplines
- Strong understanding of security principles across applications, cloud platforms, infrastructure, networks, and enterprise systems
- Strong experience performing security assessments and risk evaluations across applications, cloud platforms, and infrastructure
- Knowledge of security frameworks and standards such as NIST CSF, CIS Controls, OWASP, ISO 27001, and HIPAA.
- Experience with vulnerability management and remediation processes
- Familiarity with security monitoring, incident response, and threat detection concepts
- Experience working in AWS and Azure environments
- Strong understanding of authentication, authorization, encryption, and identity management concepts
- Excellent communication and stakeholder management skills
Preferred Skills
- Strong application security experience including threat modeling, secure code review, penetration testing coordination, and secure SDLC practices
- Experience with SAST, DAST, SCA, container security, and software supply chain security tools
- Familiarity with DevSecOps practices and CI/CD security integrations
- Experience with security tooling such as SIEM, EDR, CSPM, IAM, and vulnerability management platforms
- Preferred Security+, Certified Application Security Engineer (CASE), Certified Secure Software Engineer Lifecycle Professional (CSSLP), etc.
First Stop Health is committed to diversity, equity, inclusion, and belonging. Research shows that women, people of color and other historically underrepresented groups tend to only apply to jobs in which they meet all the job requirements. Unsure if you check every box? Apply. We would love to consider your unique experiences and how you could make First Stop Health even better.
To learn more about First Stop Health, visit www.fshealth.com and if you require any assistance during the application process or have questions, please don't hesitate to contact our talent acquisition team via email at careers@fshealth.com