Senior Application Security Engineer

About the Role

Fabric handles protected health information at scale across 75+ health systems and millions of patient encounters. Security is not a layer we add at the end. It is built into how we work. As a Senior Application Security Engineer, you will own the application security practice at Fabric, partnering directly with engineering to embed security throughout the development lifecycle, build the tooling and automation that keeps our platform secure, and ensure our applications meet the compliance standards our health system customers require. This is a new headcount reporting to the VP of Infrastructure.

What You'll Do

As a Senior Application Security Engineer, you will be the driving force behind application security at Fabric, operating as a partner to engineering rather than a gatekeeper. Your primary responsibilities will include: Secure Development & Code Review: Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications. Conduct security-focused code reviews and provide actionable guidance on secure coding practices. Threat Modeling & Assessment: Lead threat modeling exercises for new features and architectural changes. Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation. DevSecOps & Tooling: Implement and manage SAST and DAST tooling integrated into CI/CD pipelines. Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data. Compliance & Risk: Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements. Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner. Security Education & Culture: Run secure coding training and awareness programs for engineering teams. Serve as the internal subject matter expert on application security and lead response to application-layer security incidents. Why You Might Be a Good Fit You think like an attacker and build like an engineer. You are as comfortable in a codebase as you are writing a threat model. You understand that in healthcare, a vulnerability is not just a technical problem. It is a patient safety and compliance problem. You prefer building guardrails and education programs over reactive patching. You can communicate security risk to engineering teams in a way that drives action, not defensiveness. You are energized by building a security practice and shaping how a fast-growing company approaches application security. This Might Not Be The Right Fit If... You are primarily a compliance or GRC-focused security professional and are not comfortable getting into the code. You prefer working in a mature, established security program over building and defining one. You are not comfortable working closely with engineering as a partner rather than an oversight function. You do not have experience in a regulated environment where security decisions carry direct compliance implications. Your Qualifications 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review. Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar. Experience integrating SAST and DAST tooling into CI/CD pipelines. Deep understanding of the OWASP Top 10 and common application vulnerabilities. Experience with threat modeling methodologies. Familiarity with cloud security in AWS environments. Understanding of HIPAA or other regulated industry security requirements. Bonus Points Experience securing healthcare applications or working with PHI. Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs. Security certifications such as OSCP, GWEB, or BSCP. Experience with bug bounty program management. SOC 2 or HITRUST audit support experience. The national pay range for this role is $130,000.00 – $160,000.00 per year. Actual compensation will be determined by factors such as the candidate's geographic market, experience, skills, and qualifications. Certain roles may also be eligible for additional compensation, including a comprehensive benefits package such as medical, dental, vision, unlimited PTO, and a 401(k) plan, stock options and bonuses. If your compensation requirement is greater than our posted range, please still consider applying; a determination can be made based on unique qualifications. Expected compensation ranges for this role may change over time. Apply To This Job