Security Engineer (API Specialist)

We are CONNECTING HEALTH AND WEALTH. Come be part of remarkable. 

How you can make a difference  

HealthEquity is hiring a Security Engineer with a specialization in APIs to join our DevSecOps team. The ideal candidate will play a crucial role in enhancing our API-centric development approach, managing API security tools, and ensuring the security of our systems within an Azure environment. Our DevSecOps team is focused on high performance, tracking work in a management system to demonstrate progress towards our goals. We value meaningful security work over security theater, emphasizing evidence-backed security measures. 

What you’ll be doing

• Own the API security program, including strategic planning, tool selection, and demonstrating program value through metrics.
• Implement and manage API security tools, focusing on identifying full-featured API security solutions.
• Work closely with development teams to integrate security principles in API development and ensure compliance with security standards.
• Support the DevSecOps team in areas such as container security, application security testing tools, and infrastructure as code scanning.
• Strategically manage, identify, and track new technologies to ensure a comprehensive security tool stack configuration to address threats and gaps, particularly related to API security.
• Build and present business cases on new technologies to address new and emerging risks, as well as gaps identified by external and internal assessors.
• Lead work in security controls and requirements identification for large and small technology and business initiatives.
• Build strong relationships with other technical personnel to create trust in guidance and insight on security topics.
• Maintain and improve policy and standards documentation relating to API security.

What you will need to be successful

• Bachelor’s degree in Information Systems, Cybersecurity or a related field and minimum 2 years’ relevant experience; or equivalent combination of education and experience.
• Demonstrated experience as a professional security engineer and/or software engineer, particularly regarding APIs and modern software architecture.
• Experience with Azure cloud environments and familiarity with API management tools like Azure APIM and Kong..
• Experience executing and performing security risk assessments for on-premise and cloud-based services.
• Advanced security certification (e.g., CISSP, CSSLP, CEH) or demonstrable level of compentency preferred
• Agile/Scrum and Microsoft Azure experience are beneficial with expert-level working knowledge of API Security and the concepts and tooling that can help protect them.
• Expert knowledge of leading information security frameworks and best practices (OWASP API Top 10, NIST Cybersecurity Framework, ISO27001/2, and CIS Top 20 Controls), and extensive experience applying frameworks to identify appropriate security measures and applying multiple risk treatments
• An API attacker mindset that is only satisfied when defense-in-depth controls are in place but will still question assumptions about our existing security posture.
• Ability to perform high-quality and effectual threat modeling.
• Ability to present complex security recommendations and influence both senior leaders and technology SMEs.
• Ability to research, identify and iterate on new security metrics to provide greater visibility on program status and improvement opportunities to senior leadership
• Ability to clearly and logically document all procedures related to this role and a passion for keeping documentation up to date
• Excellent interpersonal skills including the ability to interact effectively and professionally with individuals at all levels; both internal and external
• Team player capable of developing strong collaborative working relationships with internal partners and able to effectively engage and build consensus among cross-functional teams
• Experience in financial services or healthcare industries, dealing with sensitive data protection is a plus.
• Familiarity with container security, application security testing tools, and infrastructure as code scanning is a plus. 

#LI-Remote

This is a remote position.

The compensation range describes the typical minimum or maximum base pay range for this position. The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives as part of the total compensation package, in addition to a full range of benefits including:

• Medical, dental, and vision
• HSA contribution and match
• Dependent care FSA match
• Uncapped paid time off
• Adventure accounts
• Paid parental leave
• 401(k) match
• Personal and healthcare financial literacy programs
• Ongoing education & tuition assistance
• Gym and fitness reimbursement
• Wellness program incentives

Why work for HealthEquity 

HealthEquity has a vision that by 2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more. 

Come be your authentic self

HealthEquity, Inc. is an equal opportunity employer that is committed to inclusion and diversity. We take affirmative action to ensure equal opportunity for all applicants without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity’s applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.

HealthEquity is committed to your privacy as an applicant for employment.  For information on our privacy policies and practices, please visit HealthEquity Privacy.