Lead Security Engineer
Hinge Health
- Bangalore, Karnataka
- Permanent
- Full-time
- Evaluate requests for the use of new AWS services, make recommendations whether the service should be used in our environment and if approved assess the risks, create standards and guidelines for use of those services.
- Review proposed changes and additions to AWS infrastructure against the Security pillar of the AWS Well-Architected Framework, HIPAA, HITRUST, other regulatory requirements and other security best practices and frameworks as needed.
- Contribute to the improvement of existing standards and guidelines for the use of IaaS infrastructure and related SaaS platforms including those hosted within AWS.
- Review Terraform Infrastructure as Code (IaC) change requests to ensure the changes meet all security requirements and verify the change being made adheres to the reviewed design.
- Review current and proposed integrations between Hinge Health infrastructure and third party SaaS platforms and integrations partners/clients. Assist Security Risk team with risk assessments of these platforms and integrations and the IAM team with any required service accounts, API keys, etc.
- Contribute to the improvement of Software Development Life Cycle management policies, procedures, and standards.
- Implement automated security scanning tools (SCA, SAST, DAST, etc.) into the CI/CD pipeline and assist with triage and risk assessment of results.
- Securing Cloud Infrastructure: Ability to use well known control frameworks (HITRUST CSF, NIST, etc.), vendor best practices (AWS Well-Architected Framework) and security industry best practices to develop policies, procedures and standards for the secure use of a variety of cloud hosted services. Examples include but are not limited to applying the principle of least privilege in design AWS IAM permissions, securing Amazon EKS, Amazon Aurora, and Amazon S3.
- Automate Security Testing: Ability to configure and automate security scans as part of the CI/CD process, interpret the results and work directly with engineers on prioritization and remediation.
- Communication: Ability to partner with engineers and product managers to implement security by design.
- Judgment: Ability to assess the risk of vulnerabilities, tradeoffs in designs, etc. to categorize and prioritize remediation work.
- Incident Handling: Be able to work as a subject matter expert in the security controls, internal communications, and infrastructure of Hinge Health applications during security incidents.
- Proactive: Enjoys proactively, asking questions and examining systems and processes for possible flaws and reaching out to relevant teams to identify and verify vulnerabilities that may not have been found by automated scanning and schedule manual reviews.
- Experience securing applications in Health Care, securing ePHI and HIPAA/HITECH regulations.
- Experience with any of the following, deploying web based services on AWS infrastructure, Kubernetes, Aurora/RDS, GitHub Actions, Terraform IaC
- Familiarity with HITRUST CSF and NIST control frameworks.
- Experience in Threat Modeling
- Typescript, ReactNative, Ruby on Rails, GraphQL
- Experience performing security assessments and secure design of hardware and firmware of medical devices communicating over Bluetooth