Software Engineer Security

📋 Description

• • Own the security posture of a fast-growing tele-health platform that already serves tens of thousands of patients across the United States. You will be the first dedicated security engineer, giving you the rare chance to define strategy, select tooling, and embed security-by-design into every layer of Hone’s architecture.
• • Design, build, and maintain secure-by-default pipelines for our Ruby on Rails monolith and React front-end, integrating SAST, DAST, secret-scanning, and container vulnerability management into GitHub Actions so that every commit is automatically vetted before it reaches staging.
• • Lead threat-modeling sessions with product managers, clinicians, and engineers, translating HIPAA, SOC-2, and emerging FDA guidance into concrete user stories and acceptance criteria that the whole team can understand and act on.
• • Build and operate a continuous compliance program: map controls to frameworks (HIPAA, SOC-2 Type II, HITRUST), automate evidence collection, and partner with external auditors to achieve and renew certifications without slowing release velocity.
• • Instrument real-time security telemetry across AWS (EKS, RDS, S3, CloudTrail, GuardDuty), Slack, PagerDuty, and Datadog; tune detection rules to eliminate false positives and ensure that any anomalous access to PHI triggers a page within minutes.
• • Craft secure coding guidelines, run quarterly internal CTFs, and mentor backend and frontend engineers so that security becomes a shared responsibility rather than a final gate.
• • Evaluate and integrate third-party APIs (labs, pharmacies, insurance) with a zero-trust mindset: enforce mTLS, scoped tokens, rate-limiting, and field-level encryption to protect patient data in motion and at rest.
• • Perform purple-team exercises and coordinate external penetration tests twice a year; triage findings, build remediation plans, and present executive-level risk dashboards to the CTO and Clinical Leadership.
• • Champion privacy-first product decisions—whether that means differential privacy for analytics, end-to-end encryption for in-app chat, or granular consent flows that let patients control how their hormone-optimization data is used.
• • Contribute to Hone’s open-source security projects (we maintain a Rails security gem and a React auth wrapper) and publish blog posts that establish the company as a thought leader in digital-health security.
• • Collaborate with our Data Science team to secure ML pipelines that predict optimal treatment protocols; ensure model artifacts, training data, and inference endpoints are encrypted, access-logged, and isolated.
• • Influence the technical roadmap: as we expand into at-home diagnostics and wearable integrations, you will assess new attack surfaces (Bluetooth, firmware, mobile SDKs) and design mitigations before a single line of code is written.
• • Enjoy the autonomy of a remote-first culture while still having the support of weekly security guild meetings, an annual security budget for conferences and tooling, and direct access to the founders for quick strategic decisions.