Senior Application Security Engineer

About Hims & Hers

Hims & Hers is the leading health and wellness platform on a mission to help the world feel great through the power of better health. The company is a public company traded on the NYSE under the ticker symbol “HIMS” and emphasizes affordable, accessible, and personalized care.

About the Role

The Senior Application Security Engineer is responsible for ensuring the security of our applications throughout the development lifecycle. Emphasis is placed on modern security practices, including AI/ML security considerations, secure coding, and continuous security assessments.

You Will

• Conduct security assessments using SAST, DAST, and SCA tools.
• Perform code reviews and provide secure coding guidance.
• Implement and maintain GitHub Advanced Security and secret scanning.
• Assess and secure Infrastructure as Code deployments using Terraform.
• Evaluate container security in Docker and Kubernetes environments.
• Support CI/CD security automation and integration.
• Conduct penetration testing and red/purple team exercises.
• Review and secure API implementations with a focus on GraphQL.
• Evaluate AI/ML model security and implement protection measures.
• Collaborate on CIAM and advanced AI security initiatives.
• Maintain security documentation and contribute to awareness training.

You Have

• Bachelor's degree in Computer Science, Cybersecurity, IT, or related field.
• 5-8 years experience in application security or related fields.
• Hands-on coding experience with multiple languages.
• Expertise with SAST, DAST, and SCA tools.
• Experience with container and IaC security scanning.
• Strong understanding of OWASP Top 10, secure coding, and penetration testing.

Preferred Qualifications

• Industry certifications like GIAC, SANS, or OSCP.
• Experience with mobile/runtime security and AI/ML threat prevention.
• Knowledge in Cloudflare WAF, Bot Management, and security automation scripting.
• Contributions to the security community.
• Experience in healthcare or regulated industries.

Technical Stack

• Security Tools: Snyk, Burp Suite, GitHub Advanced Security, Terraform security scanners.
• Languages: Python, JavaScript, Java, Go, and other modern languages.
• Cloud: AWS (primary) with multi-cloud exposure.
• CI/CD: Jenkins, GitHub Actions, or similar tools.
• Containers: Docker, Kubernetes (EKS).

What We're Looking For

A self-motivated individual who can balance security requirements with business needs while staying current with emerging threats, especially in AI/ML. The role requires a strong collaborator who works effectively with development teams.

Benefits

• Competitive salary and equity compensation.
• Unlimited PTO, company holidays, and mental health days.
• Comprehensive health benefits including medical, dental, vision, and parental leave.
• Employee Stock Purchase Program and 401k with matching.
• Offsite team retreats.

Key skills/competency

• Application Security
• SAST
• DAST
• SCA
• CI/CD
• Terraform
• Container Security
• AI/ML Security
• Penetration Testing
• Secure Coding