Sr. Application Security Engineer

Hims & Hers is the leading health and wellness platform, on a mission to help the world feel great through the power of better health. We are redefining healthcare by putting the customer first and delivering access to care that is affordable, accessible, and personal, from diagnosis to treatment to delivery. No two people are the same, so we provide access to personalized care designed for results. By normalizing health & wellness challenges and innovating on their solutions, we’re making better health outcomes easier to achieve. Hims & Hers is a public company, traded on the NYSE under the ticker symbol “HIMS.” To learn more about the brand and offerings, you can visit hims.com/about and hims.com/how-it-works . For information on the company’s outstanding benefits, culture, and its talent-first flexible/remote work approach, see below and visit www.hims.com/careers-professionals.About the Role:We are seeking a Senior Application Security Engineer II to join our security team. This role will focus on ensuring the security of our applications throughout the development lifecycle, with an emphasis on modern security practices including AI/ML security considerations. You will work closely with development teams to implement secure coding practices and maintain our application security posture.You Will:Conduct security assessments using SAST, DAST, and SCA tools to identify vulnerabilities in applicationsPerform code reviews and provide secure coding guidance to development teamsImplement and maintain GitHub Advanced Security, including secret scanning and code scanningAssess and improve security of Infrastructure as Code (IaC) deployments using TerraformEvaluate container security in our Docker and Kubernetes environmentsSupport CI/CD security integration and automationConduct penetration testing and red team/purple team exercises on applicationsReview and secure API implementations, with focus on GraphQL securityEvaluate AI/ML model security and implement protections against prompt injection and other AI-specific threatsCollaborate with the Staff AppSec Engineer on CIAM and advanced AI security initiativesMaintain security documentation and contribute to security awareness trainingYou Have:Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field5-8 years of experience in application security or related security fieldHands-on coding experience and ability to review code in multiple languagesProfessional experience with SAST tools (e.g., SonarQube, Checkmarx, Fortify)Professional experience with DAST tools (e.g., Burp Suite, OWASP ZAP)Professional experience with SCA tools (e.g., Snyk, Black Duck, WhiteSource)Experience with GitHub Advanced Security featuresContainer security scanning and IaC security scanning tools experienceStrong understanding of OWASP Top 10 and secure coding practicesExperience with penetration testing methodologiesKnowledge of security frameworks: NIST CSF, NIST 800-53, SOC 2, PCI DSSExcellent communication skills to articulate security findings to technical and non-technical stakeholdersPreferred Qualifications:Industry certifications such as GIAC (GWEB, GSSP, GCSA), SANS, or OSCPExperience with Oligo, Socket, or NowSecure for mobile/runtime securityAI/ML security and prompt injection prevention experienceCloudflare WAF and Bot Management configuration (nice to have)Purple team and red team exercise experienceSecurity automation and scripting (Python, Go, or similar)Contributions to the security community (research, tools, presentations)Experience in healthcare or regulated industriesTechnical Stack:Security Tools: Snyk, Burp Suite, GitHub Advanced Security, Terraform security scannersLanguages: Proficiency in reviewing Python, JavaScript, Java, Go, and other modern languagesCloud: AWS (primary), multi-cloud experience beneficialCI/CD: Experience with Jenkins, GitHub Actions, or similarContainers: Docker, Kubernetes (EKS)What We're Looking For:Someone who can balance s ... (truncated, view full listing at source)