Senior Application Security Engineer - Remote

Overview

Heartflow is a medical technology company advancing the diagnosis and management of coronary artery disease, the #1 cause of death worldwide, using cutting-edge technology. The flagship product—an AI-driven, non-invasive cardiac test supported by the ACC/AHA Chest Pain Guidelines called the Heartflow FFR_CT Analysis—provides a color-coded, 3D model of a patient’s coronary arteries indicating the impact blockages have on blood flow to the heart. Heartflow is the first AI-driven non-invasive integrated heart care solution across the CCTA pathway that helps clinicians identify stenoses in the coronary arteries (RoadMap™Analysis), assess coronary blood flow (FFR_CT Analysis), and characterize and quantify coronary atherosclerosis (Plaque Analysis). Our pipeline of products is growing and so is our team; join us in helping to revolutionize precision heartcare.

In Short

• Partner with the engineering team to define secure coding practices, threat model our products and carry out essential parts of a secure SDLC.
• Collaborate with DevOps on identifying and implementing developer tools that support security best practices and identify security risks and vulnerabilities.
• Drive vulnerability identification using SAST, DAST and SCA tooling and manage external penetration testing.
• Support engineering team on vulnerability management, including risk assessment, remediation and improving identification of vulnerabilities.
• Build security awareness through training on secure coding practices, security standards and latest security threats.
• Translate security and privacy compliance requirements into technical requirements and support information security team.

Requirements

• Security Communication – Ability to reason about risk in complex environments and communicate that risk to technical and non-technical audiences. Experience leading training, speaking internally/externally about security projects valued.
• Securing SDLC – Experience building or improving secure SDLC activities, including threat modeling, code review, security testing and vulnerability management. 
• Programming Skills – Experience writing and maintaining code in at least one modern programming language and with at least one scripting language (Heartflow uses C++/Python). Comfortable with testing frameworks and CI/CD pipelines.
• Infrastructure as Code & Cloud – Familiarity with AWS (or equivalent cloud providers) and configuration tools (Terraform, Chef, Ansible). Experience with containerization (Docker, Kubernetes) and orchestration (GitHub Actions or similar).
• Education & Experience – BS in Computer Science (or related degree) or relevant certifications and equivalent experience. 4+ years experience working in Application Security.
• Regulated Environment Readiness – Understanding of—or willingness to learn—compliance, documentation, and quality requirements in medical or similarly regulated fields.

Benefits

• Healthcare Experience – Current knowledge of HIPAA, HITRUST and the complexities of working in a regulated environment. Experience with Software as a Medical Device (SaMD) is especially valuable.
• Knowledge of Modern AI Security Threats – Experience working with or ability to discuss current AI threats for both machine learning and generative AI.