Senior Security Engineer - Infrastructure and DevOps
Location
Bangalore | India
Job description
We re looking for a detail oriented and technically proficient individual to join us in maturing the Application and Product Security group within the Security team. This function is growing, and you will have an opportunity to help shape the groups direction and grow with it.
Security Engineers will evaluate requests for the use of new AWS services, make recommendations whether the service should be used in our environment and if approved assess the risks, and create standards and guidelines for use of those services.
A Security Engineer will evaluate these requests for new infrastructure or changes to existing infrastructure against the Security pillar of the AWS Well-Architected Framework, HIPAA, HITRUST, CIS Benchmarks, other regulatory requirements and other security best practices and frameworks as needed.
Security Engineers (Infrastructure and DevOps) focus on where our applications interact with and rely on infrastructure components, typically AWS, and our CI/CD pipeline. You will work directly with Engineering teams including developers, Developer Experience (CI/CD), SRE and other infrastructure teams to integrate security into stages of our Secure Software Development Life Cycle. This includes, working closely with the Developer Experience team to ensure all Application Security tools and scanners are integrated into CI/CD pipelines in a standardized manner while meeting all the needs of the Application Security team.
This role will also respond to security related design and implementation questions regarding infrastructure (AWS), integrated/supporting SaaS tools, and Application Security originating from Engineering teams with a focus on quick response and resolution to enable these teams to implement secure infrastructure, CI/CD pipelines, and internally developed microservices in a timely manner.
They may also be expected to assist in proactively identifying, assessing, advising engineering teams in the prioritization and remediation of source code security vulnerabilities. Security Engineers are expected to do so using multiple methods and tools including but not limited to manual penetration testing, outputs from automated security scanning tools including Software Composition Analysis, Static Application Security Testing, Dynamic Application Security Testing, and the findings from third-party application penetration tests.
Security Engineers also work with the Security Operations and Infrastructure teams to deploy and maintain security tools within the Hinge Health environment and assist in the tuning of these tools.
Security Engineers will be part of the incident response team as subject matter experts as needed. They may also be called upon as subject matter experts to assist other teams with third party security assessment requests.
WHAT YOU LL ACCOMPLISH
- Evaluate requests for the use of new AWS services, make recommendations whether the service should be used in our environment and if approved assess the risks, create standards and guidelines for use of those services.
- Review proposed changes and additions to AWS infrastructure against the Security pillar of the AWS Well-Architected Framework, HIPAA, HITRUST, other regulatory requirements and other security best practices and frameworks as needed.
- Contribute to the improvement of existing standards and guidelines for the use of IaaS infrastructure and related SaaS platforms including those hosted within AWS.
- Review Terraform Infrastructure as Code (IaC) change requests to ensure the changes meet all security requirements and verify the change being made adheres to the reviewed design.
- Review current and proposed integrations between Hinge Health infrastructure and third party SaaS platforms and integrations partners/clients. Assist Security Risk team with risk assessments of these platforms and integrations and the IAM team with any required service accounts, API keys, etc
- Contribute to the improvement of Software Development Life Cycle management policies, procedures, and standards.
- Implement automated security scanning tools (SCA, SAST, DAST, etc) into the CI/CD pipeline and assist with triage and risk assessment of results.
WHAT WERE LOOKING FOR
- Securing Cloud Infrastructure: Ability to use well known control frameworks (HITRUST CSF, NIST, etc), vendor best practices (AWS Well-Architected Framework) and security industry best practices to develop policies, procedures and standards for the secure use of a variety of cloud hosted services. Examples include but are not limited to applying the principle of least privilege in design AWS IAM permissions, securing Amazon EKS, Amazon Aurora, and Amazon S3.
- Automate Security Testing: Ability to configure and automate security scans as part of the CI/CD process, interpret the results and work directly with engineers on prioritization and remediation.
- Communication: Ability to partner with engineers and product managers to implement security by design.
- Judgment: Ability to assess the risk of vulnerabilities, tradeoffs in designs, etc to categorize and prioritize remediation work.
- Incident Handling: Be able to work as a subject matter expert in the security controls, internal communications, and infrastructure of Hinge Health applications during security incidents.
- Proactive: Enjoys proactively, asking questions and examining systems and processes for possible flaws and reaching out to relevant teams to identify and verify vulnerabilities that may not have been found by automated scanning and schedule manual reviews.
BONUS POINTS
- Experience securing applications in Health Care, securing ePHI and HIPAA/HITECH regulations.
- Experience with any of the following, deploying web based services on AWS infrastructure, Kubernetes, Aurora/RDS, GitHub Actions, Terraform IaC
- Familiarity with HITRUST CSF and NIST control frameworks.
- Experience in Threat Modeling
- Typescript, ReactNative, Ruby on Rails, GraphQL
- Experience performing security assessments and secure design of hardware and firmware of medical devices communicating over Bluetooth
Â
Job tags
Salary
