Product Security Engineer

Candidhealth
San Francisco (CA); Denver (CO); New York (NY), US

Who this role is best for

Best suited to mid-level security engineers with cloud architecture experience who thrive in collaborative product development environments.

Best fit for

  • Security engineers comfortable influencing architecture without slowing development velocity.
    — “Proven ability to influence and collaborate with engineering teams without hindering development velocity.
  • Cloud-native security specialists familiar with OWASP Top 10 risks.
    — “Deep understanding of modern web/cloud architecture and familiarity with the OWASP Top 10.

Things to consider

  • Equity-heavy compensation structure may impact short-term cash compensation.
    — “we heavily value the potential upside from equity in our compensation package.
  • Broad experience ranges within roles despite mid-level title.
    — “has broad ranges of experience represented within roles.

How to stand out

  • Demonstrate specific examples of building security automation tools.
    — “Build, maintain, and tune security automation tools to reduce friction for developers.
  • Highlight threat modeling experience during feature design phases.
    — “Lead threat modeling sessions during the architectural design phase of new features.
  • Showcase compliance knowledge relevant to healthcare technology.
    — “Knowledge of compliance frameworks relevant to our industry (e.g., SOC2, ISO27001, HIPAA).
Pace · Fast PacedCollaboration · HighAutonomy · MediumDecision Impact · TeamLevel · Senior

Derived from job-description analysis by Serendipath's career intelligence engine.

What success looks like

  • successful threat modeling sessions
  • integration of security tooling into developer workflows
  • reduction in security incidents
Typical background
5+ years of experience in software engineering or security engineering

Skills & requirements

Required

Product SecurityThreat ModelingSecure Development LifecycleVulnerability ManagementSecurity ToolingSecure Coding StandardsIncident ResponseSupply Chain Security

Preferred

PythonGoJavaJavaScriptOwaspApi SecurityMicroservicesKubernetesAWSGCPAzure

Stack & domain

PythonGoJavaJavaScriptOwaspHealthcareData ScienceMachine Learning

About the role

Original posting from Candidhealth via Ashby

WHAT WE DO

We’re fixing one of the most broken and costly pieces of the US healthcare system: medical billing.

Today, healthcare providers spend over $250B each year on administrative overhead just to get paid by insurance. Medical billing is expensive because it’s nuanced and hard - maybe ~100x harder than credit card payment processing - and because it’s traditionally done by armies of humans who track and manage complex rules and processes specific to individual insurance companies with little or no supporting software. We’re rethinking medical billing from the ground up, building software backed by best-in-class data science (and, soon, a dash of machine learning) to automate much of this complexity so healthcare providers can get paid dramatically more easily and inexpensively.

We were in the Y Combinator W20 batch and have since been well funded by a world-class group of funds (8VC, First Round Capital, BoxGroup, Oak HC/FT) + angel investors. We're now helping our customers treat opioid addiction, provide holistic care for women, lose weight, increase access to mental health care, and much more. This is such important and gratifying work; we can't wait for you to join our team and help support some of the most important innovation happening in healthcare today!

Curious to learn more about our story? Check out this blog post https://candidhealth.com/blog/candid-origin-story written by our founders.

ROLE OVERVIEW

We are looking for a Product Security Engineer to join our team and act as a champion for security within our product engineering organization. You will be responsible for ensuring our products are designed, developed, and maintained with security as a core pillar. You will work in partnership with development squads to perform threat modeling, guide secure architecture decisions, and automate security gates in our CI/CD pipelines.

KEY RESPONSIBILITIES

  • Security by Design: Lead threat modeling sessions during the architectural design phase of new features to identify potential risk vectors early.
  • Secure Development Lifecycle (SDLC): Drive the adoption of "Shift Left" security practices, integrating security tooling (SAST, DAST, SCA) directly into developer workflows.
  • Vulnerability Management: Triage, prioritize, and partner with engineering teams to remediate vulnerabilities found in code, third-party libraries, and cloud infrastructure.
  • Security Tooling & Automation: Build, maintain, and tune security automation tools to reduce friction for developers while maintaining high-security standards.
  • Secure Coding Standards: Develop and deliver training, coding patterns, and security guardrails to help engineering teams build resilient, secure-by-default products.
  • Incident Response Support: Assist in identifying the root cause of security incidents related to product features and contribute to post-incident remediation and architectural improvements.
  • Supply Chain Security: Build out processes and automation to ensure the security of open-source dependencies.

-

REQUIRED QUALIFICATIONS

  • Experience: 5+ years of experience in software engineering or security engineering, specifically focusing on product security or application security.
  • Technical Skills:
  • Proficiency in one or more programming languages (e.g., Python, Go, Java, or JavaScript).
  • Deep understanding of modern web/cloud architecture (e.g., APIs, Microservices, Kubernetes, AWS/GCP/Azure).
  • Familiarity with the OWASP Top 10 and common exploitation techniques.
  • Collaboration: Proven ability to influence and collaborate with engineering teams without hindering development velocity.
  • Problem Solving: Strong analytical skills to evaluate complex systems and design innovative, practical security solutions.

PREFERRED SKILLS (NICE TO HAVE)

  • Experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation).
  • Experience in designing cryptographic implementations or secure authentication/authorization flows (e.g., OAuth, OIDC, JWT).
  • Knowledge of compliance frameworks relevant to our industry (e.g., SOC2, ISO27001, HIPAA).

PAY TRANSPARENCY

The estimated starting annual salary range for this position is $180,000 - 258,000 USD. The listed range is a guideline from Pave https://www.pave.com/ data, and the actual base salary may be modified based on factors including job-related skills, experience/qualifications, interview performance, market data, etc. Total compensation for this position may also include equity, sales incentives (for sales roles), and employee benefits. Given Candid Health’s funding and size, we heavily value the potential upside from equity in our compensation package. Further note that Candid Health has minimal hierarchy and titles, but has broad ranges of experience represented within roles.

Source: Candidhealth careers (Ashby)

Similar roles