Hims & Hers is hiring a Sr. Application Security Engineer to ensure the security of our applications throughout the development lifecycle, with a focus on modern practices including AI/ML security. You will work closely with development teams to implement secure coding practices and maintain our application security posture, supporting our mission to make healthcare accessible and personal.
What You'll Do
- Conduct security assessments using SAST, DAST, and SCA tools to identify vulnerabilities.
- Perform code reviews and provide secure coding guidance to development teams.
- Implement and maintain GitHub Advanced Security, including secret and code scanning.
- Assess and improve security of Infrastructure as Code deployments using Terraform.
- Evaluate container security in Docker and Kubernetes environments.
- Support CI/CD security integration and automation.
- Conduct penetration testing and red team/purple team exercises.
- Review and secure API implementations, with a focus on GraphQL security.
- Evaluate AI/ML model security and implement protections against prompt injection.
- Collaborate with the Staff AppSec Engineer on CIAM and advanced AI security initiatives.
- Maintain security documentation and contribute to security awareness training.
What We're Looking For
- Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field.
- 5-8 years of experience in application security or a related field.
- Hands-on coding experience and ability to review code in multiple languages.
- Professional experience with SAST tools (e.g., SonarQube, Checkmarx, Fortify).
- Professional experience with DAST tools (e.g., Burp Suite, OWASP ZAP).
- Professional experience with SCA tools (e.g., Snyk, Black Duck, WhiteSource).
- Experience with GitHub Advanced Security features.
- Container security scanning and IaC security scanning tools experience.
- Strong understanding of OWASP Top 10 and secure coding practices.
- Experience with penetration testing methodologies.
- Knowledge of security frameworks: NIST CSF, NIST 800-53, SOC 2, PCI DSS.
- Excellent communication skills to articulate security findings to technical and non-technical stakeholders.
Nice to Have
- Industry certifications such as GIAC (GWEB, GSSP, GCSA), SANS, or OSCP.
- Experience with Oligo, Socket, or NowSecure for mobile/runtime security.
- AI/ML security and prompt injection prevention experience.
- Cloudflare WAF and Bot Management configuration experience.
- Purple team and red team exercise experience.
- Security automation and scripting skills (Python, Go, or similar).
- Contributions to the security community (research, tools, presentations).
- Experience in healthcare or regulated industries.
Technical Stack
- Tools: Snyk, Burp Suite, GitHub Advanced Security, Terraform security scanners
- Languages: Python, JavaScript, Java, Go
- Platforms & Infrastructure: AWS, Jenkins, GitHub Actions, Docker, Kubernetes (EKS)
Team & Environment
You will be part of the security team, collaborating closely with development teams and a Staff AppSec Engineer.
Benefits & Compensation
- Competitive salary & equity compensation for full-time roles.
- Unlimited PTO, company holidays, and quarterly mental health days.
- Comprehensive health benefits including medical, dental & vision, and parental leave.
- Employee Stock Purchase Program (ESPP).
- 401k benefits with employer matching contribution.
- Offsite team retreats.
Work Mode
This role follows a hybrid work model.
Hims considers all qualified applicants for employment, including applicants with arrest or conviction records, in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, the California Fair Chance Act, and any similar state or local fair chance laws.
