Security Engineer

Burlingame, California /
Engineering /
Full-Time
Recently named by Rock Health as the 'Best Digital Health Company to Work For,' Color is a leading healthcare technology company. Color makes population-scale healthcare programs accessible, convenient, and cost-effective for everyone. Color works with health systems, employers, and national health initiatives around the world including the million-person All of Us Research Program by the National Institutes of Health. 

Since March, Color has mobilized to repurpose core parts of its infrastructure for a massive COVID-19 response and helped fundamentally change the access model for COVID-19 testing across massive public health programs (including the City of San Francisco and community-based efforts in Oakland), major U.S. employers, and universities. For more information about Color and its response to COVID-19, visit www.color.com.

Color's current engineers span a wide range of interests, skills, and backgrounds. Many of us are infosec savvy and capable, but none of us do security full time. That's why we need you!
As Color's first full time security engineer, you will take the lead on defining and implementing the team's overall security posture across our code, systems, and processes. You'll have a capable partner on the IT side, so you'll focus on software engineering and ops specifically.
This role mixes hands on IC work with opportunities for leadership and working with other orgs across the company. You'll spend plenty of time researching vulnerabilities and writing code, but you may also help define our privacy posture, apply threat modeling to on site clinical health care, teach engineers how to think like black hats, and much more.
Previous background in security is a plus but not strictly required. Show us you have the security mindset and see everything as a system to be exploited...and protected!

How You'll Contribute:

    • Own and improve the overall security of our code, architecture, and processes
    • Apply threat modeling as a primary tool to understand and secure our systems
    • Help the entire Color engineering team learn and apply the security mindset when they design systems and write code
    • Drive company-wide efforts to improve our security posture
    • Support IT in securing third party systems and tools that we don't build and run ourselves
    • Design and drive secure audit logging for all employee access to PHI (personal health information)
    • Analyze, quantify, and protect public datasets like Color Data from re-identification attacksCoordinate external penetration tests. Triage, prioritize, implement, and help other engineers fix issues that arise.
    • Evaluate, select, and help integrate modern security tools (eg IDSes) into our production and employee IT environments
    • Help engineers run fuzzers, scanners, static analyses, and other tools on our code and systems to discover vulnerabilities
    • Review and triage security disclosures from external researchers
    • Support and lead security compliance efforts, eg FISMA and HIPAA
    • Maintain resources for customers on our security posture and practices. Support our sales team when they answer questions.

Our Ideal Candidate Will Have:

    • You have the security mindset ingrained and see everything as a system to be exploited...and protected!
    • You understand that security is a spectrum of risk vs cost, and that nothing is bulletproof or unbreakable
    • You believe in craft and pragmatism: solving the problem at hand with the best tools for the job, whether that's custom code, third party tools, human processes, or watchful waiting
    • You are excited about collaborating with product engineers, lab scientists, academic researchers, business people, and others across Color’s organization
    • You have strong opinions (loosely held) about modern security practices and techniques
    • You work best in a collaborative development environment, giving/receiving feedback on code reviews and designs to help the team sharpen its thinking and practices
    • You are intrinsically motivated, able to execute independently, while being proactive about seeking input from colleagues
    • You're confident in coding in Python and an expert at managing and developing in cloud environments like AWS, with a variety of data stores, backends, and caching layers. You have experience with modern web frameworks like Django
    • You enjoy teaching other engineers about security!
Color is an equal opportunity employer. In accordance with anti-discrimination law, it is the purpose of this policy to effectuate these principles and mandates. Color prohibits discrimination and harassment of any type and affords equal employment opportunities to employees and applicants without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Color conforms to the spirit as well as to the letter of all applicable laws and regulations.