Product Security Engineer

What we do

We’re fixing one of the most broken and costly pieces of the US healthcare system: medical billing.

Today, healthcare providers spend over $250B each year on administrative overhead just to get paid by insurance. Medical billing is expensive because it’s nuanced and hard - maybe ~100x harder than credit card payment processing - and because it’s traditionally done by armies of humans who track and manage complex rules and processes specific to individual insurance companies with little or no supporting software. We’re rethinking medical billing from the ground up, building software backed by best-in-class data science (and, soon, a dash of machine learning) to automate much of this complexity so healthcare providers can get paid dramatically more easily and inexpensively.

We were in the Y Combinator W20 batch and have since been well funded by a world-class group of funds (8VC, First Round Capital, BoxGroup, Oak HC/FT) + angel investors. We're now helping our customers treat opioid addiction, provide holistic care for women, lose weight, increase access to mental health care, and much more. This is such important and gratifying work; we can't wait for you to join our team and help support some of the most important innovation happening in healthcare today!

Curious to learn more about our story? Check out this blog post written by our founders.

Role Overview

We are looking for a Product Security Engineer to join our team and act as a champion for security within our product engineering organization. You will be responsible for ensuring our products are designed, developed, and maintained with security as a core pillar. You will work in partnership with development squads to perform threat modeling, guide secure architecture decisions, and automate security gates in our CI/CD pipelines.

Key Responsibilities

• Security by Design: Lead threat modeling sessions during the architectural design phase of new features to identify potential risk vectors early.

• Secure Development Lifecycle (SDLC): Drive the adoption of "Shift Left" security practices, integrating security tooling (SAST, DAST, SCA) directly into developer workflows.

• Vulnerability Management: Triage, prioritize, and partner with engineering teams to remediate vulnerabilities found in code, third-party libraries, and cloud infrastructure.

• Security Tooling & Automation: Build, maintain, and tune security automation tools to reduce friction for developers while maintaining high-security standards.

• Secure Coding Standards: Develop and deliver training, coding patterns, and security guardrails to help engineering teams build resilient, secure-by-default products.

• Incident Response Support: Assist in identifying the root cause of security incidents related to product features and contribute to post-incident remediation and architectural improvements.

• Supply Chain Security: Build out processes and automation to ensure the security of open-source dependencies.

Required Qualifications

• Experience: 5+ years of experience in software engineering or security engineering, specifically focusing on product security or application security.

• Technical Skills:

  • Proficiency in one or more programming languages (e.g., Python, Go, Java, or JavaScript).

  • Deep understanding of modern web/cloud architecture (e.g., APIs, Microservices, Kubernetes, AWS/GCP/Azure).

  • Familiarity with the OWASP Top 10 and common exploitation techniques.

• Collaboration: Proven ability to influence and collaborate with engineering teams without hindering development velocity.

• Problem Solving: Strong analytical skills to evaluate complex systems and design innovative, practical security solutions.

Preferred Skills (Nice to Have)

• Experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation).

• Experience in designing cryptographic implementations or secure authentication/authorization flows (e.g., OAuth, OIDC, JWT).

• Knowledge of compliance frameworks relevant to our industry (e.g., SOC2, ISO27001, HIPAA).

Pay Transparency

The estimated starting annual salary range for this position is $180,000 - 258,000 USD. The listed range is a guideline from Pave data, and the actual base salary may be modified based on factors including job-related skills, experience/qualifications, interview performance, market data, etc. Total compensation for this position may also include equity, sales incentives (for sales roles), and employee benefits. Given Candid Health’s funding and size, we heavily value the potential upside from equity in our compensation package. Further note that Candid Health has minimal hierarchy and titles, but has broad ranges of experience represented within roles.