Staff Engineer, Product Security
One Medical is a primary care solution challenging the industry status quo by making quality care more affordable, accessible and enjoyable. But this isn’t your average doctor’s office. We’re on a mission to transform healthcare, which means improving the experience for everyone involved - from patients and providers to employers and health networks. Our seamless in-office and 24/7 virtual care services, on-site labs, and programs for preventive care, chronic care management, common illnesses and mental health concerns have been delighting people for the past fifteen years.
In February 2023 we marked a milestone when One Medical joined Amazon. Together, we look to deliver exceptional health care to more consumers, employers, care team members, and health networks to achieve better health outcomes. As we continue to grow and seek to impact more lives, we’re building a diverse, driven and empathetic team, while working hard to cultivate an environment where everyone can thrive.
The Product Security team at One Medical consults with and supports our Product team, which has developed a very large code base that comprises a full-featured Electronic Medical Records system, as well as patient-facing applications. The Product Security team reviews architecture, design, and code, maintains security-related scanning in the CI/CD pipeline, and serves as expert consultants to engineers, engineering managers, and product managers regarding all efforts to keep patient and corporate data safe.
This role reports to the Manager of Product Security, but also works frequently with the Senior Director of Information Security. You will work as a high-level technical liaison between the Product Security team and Product Development technical leadership roles, such as Principal Engineers, Engineering Managers, the VP of Engineering, and the VP of Data Science and Analytics. You will think strategically, not just tactically, and are comfortable with complexity and situations where there is no perfect solution. This role is a partner (not a gatekeeper) for Product Development staff, and works to raise the security bar through education and counsel. You will help provide technical guidance regarding our CI/CD pipeline (Github, Dependabot, Semgrep, Stackhawk, etc.) as well as Amazon tooling. At One Medical, we expect a Security Staff Engineer to be involved with local and virtual communities with regard to one or more of our stacks: Rails, Node, Go, Python, and others. A Staff Engineer must also have significant hands-on familiarity with at least one of these frameworks and its tooling. Here at One Medical, Security is not a waterfall-style afterthought; it’s baked into our software development processes and represents a “shift-left” style of security collaboration. You’ll be especially adept at providing software developers options, rather than strict requirements for security.
The team itself is highly collaborative and is always sharing learning from its own team members, as well as teams that are adjacent to it in the security organization – those neighbor teams are our colleagues in Enterprise Security and Detection and Response. Product Security also interacts with our Technical Compliance group when they are reviewing our compliance with HIPAA, SOX, SOC 2, and other regulatory and compliance frameworks.
What you'll work on:
- Participate in Product Development architecture and strategy meetings and discussions; in particular, you are a sounding board and guide for architectural considerations regarding access control and systems integration
- Help align One Medical’s application security practices with Amazon’s secure-by-design patterns
- Conduct Application Security Assessments, Security Architecture Reviews, and Threat Modeling
- Analyze security test results, document risks, and recommend mitigating controls
- Design new security automation and select tooling to improve our detection of application vulnerabilities, and to assist in the remediation of findings
- Provide security subject matter expertise to the Product Security team itself, as well as to development teams, developing secure coding practices, and develop hands-on training to developers and quality engineers
- Contribute to our incident response and vulnerability remediation efforts
- Security research, presentation, security industry collaboration, and participation in hackathons
- On occasion, step in on hands-on security testing and code review of internally developed applications
What you’ll need:
- 7+ years of application security experience, or 5+ years of application security experience and 2+ years of software development experience
- Proven skills communicating and collaborating with product development leadership
- Significant experience collaborating with product development teams
- Significant experience in leading application security assessments, security architecture reviews, threat modeling, manual code reviews, and security design reviews
- Proven track record mentoring and maturing product security engineers
- Extensive experience identifying, testing, and remediating against vulnerabilities including those found in the OWASP Top 10 and CWE/SANS Top 25
- Experience building automation and/or writing scripts to solve security problems
Not required, but would be great if you also have:
- OSCP, OSWE, GPEN or similar certifications
- Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications
- Experience working in highly regulated environments subject to compliance requirements such as HIPAA and PCI
- Experience with authentication/authorization technologies, like OpenID Connect, JWTs, SAML, and HMACs
- Experience with the security considerations for data pipelines, reporting, ML, and LLMs
- Experience with mobile security reviews and testing
- Dual Builder / Breaker mindset: Passion for breaking things and working alongside teams to fix them
- Familiarity with books and articles by authors such as Loren Kohnfelder, Adam Shostack, Dafydd Stuttart, etc.
- A writing sample that is a threat model, security design review, or a memo to development team regarding an issue (this could be blacked out for confidential information)
- Good sense of humor :)
Benefits designed to aid your health and wellness:
Taking care of you today
- Paid sabbatical after 5 and 10 years
- Employee Assistance Program - Free confidential advice for team members who need help with stress, anxiety, financial planning, and legal issues
- Competitive Medical, Dental and Vision plans
- Free One Medical memberships for yourself, your friends and family
- Pre-Tax commuter benefits
- PTO cash outs - Option to cash out up to 40 accrued hours per year
Protecting your future for you and your family
- 401K match
- Opportunity to participate in company equity programs
- Credit towards emergency childcare
- Company paid maternity and paternity leave
- Paid Life Insurance - One Medical pays 100% of the cost of Basic Life Insurance
- Disability insurance - One Medical pays 100% of the cost of Short Term and Long Term Disability Insurance
This is a full-time role based anywhere in the United States.
One Medical is committed to fair and equitable compensation practices.
The base salary range for this role is $152,000 to $270,000 annually. However, actual compensation packages are based on several factors that are unique to each candidate. These factors include, but are not limited to, job related knowledge and skill set, depth of experience, certifications and/or degrees, and specific work location.
The total compensation package for certain roles may also include additional components such as a sign-on bonus, annual performance bonus, equity grants in the form of RSUs, medical and other benefits and/or other applicable incentive compensation plans.
One Medical is an equal opportunity employer, and we encourage qualified applicants of every background, ability, and life experience to contact us about appropriate employment opportunities.
One Medical participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S. Please refer to the E-Verification Poster (English/Spanish) and Right to Work Poster (English/Spanish) for additional information.