Role OverviewWe are looking for a Product Security Engineer to join our team and act as a champion for security within our product engineering organization. You will be responsible for ensuring our products are designed, developed, and maintained with security as a core pillar. You will work in partnership with development squads to perform threat modeling, guide secure architecture decisions, and automate security gates in our CI/CD pipelines.
Key Responsibilities- Security by Design: Lead threat modeling sessions during the architectural design phase of new features to identify potential risk vectors early.
- Secure Development Lifecycle (SDLC): Drive the adoption of "Shift Left" security practices, integrating security tooling (SAST, DAST, SCA) directly into developer workflows.
- Vulnerability Management: Triage, prioritize, and partner with engineering teams to remediate vulnerabilities found in code, third-party libraries, and cloud infrastructure.
- Security Tooling & Automation: Build, maintain, and tune security automation tools to reduce friction for developers while maintaining high-security standards.
- Secure Coding Standards: Develop and deliver training, coding patterns, and security guardrails to help engineering teams build resilient, secure-by-default products.
- Incident Response Support: Assist in identifying the root cause of security incidents related to product features and contribute to post-incident remediation and architectural improvements.
- Supply Chain Security: Build out processes and automation to ensure the security of open-source dependencies.
Required Qualifications- Experience: 5+ years of experience in software engineering or security engineering, specifically focusing on product security or application security.
- Technical Skills:
- Proficiency in one or more programming languages (e.g., Python, Go, Java, or JavaScript).
- Deep understanding of modern web/cloud architecture (e.g., APIs, Microservices, Kubernetes, AWS/GCP/Azure).
- Familiarity with the OWASP Top 10 and common exploitation techniques.
- Collaboration: Proven ability to influence and collaborate with engineering teams without hindering development velocity.
- Problem Solving: Strong analytical skills to evaluate complex systems and design innovative, practical security solutions.
Preferred Skills (Nice to Have)- Experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation).
- Experience in designing cryptographic implementations or secure authentication/authorization flows (e.g., OAuth, OIDC, JWT).
- Knowledge of compliance frameworks relevant to our industry (e.g., SOC2, ISO27001, HIPAA).
Pay TransparencyThe estimated starting annual salary range for this position is $180,000 - 258,000 USD. The listed range is a guideline from Pave data, and the actual base salary may be modified based on factors including job-related skills, experience/qualifications, interview performance, market data, etc. Total compensation for this position may also include equity, sales incentives (for sales roles), and employee benefits. Given Candid Health's funding and size, we heavily value the potential upside from equity in our compensation package. Further note that Candid Health has minimal hierarchy and titles, but has broad ranges of experience represented within roles.
