Senior Product Security Engineer
Merative
Join a team dedicated to supporting the crucial mission of improving health outcomes.
At Merative, you can apply your skills – and grow new ones – with colleagues who have deep expertise in health and technology. Merative provides data, analytics and software for the health industry. Our clients include providers, health plans, employers, life sciences companies and governments around the world. With industry-leading products and focused innovation, we help customers improve decision-making and performance so that together, we drive real progress in health. Learn more at merative.com
Overview: We are looking for a skilled Senior Product Security Engineer to join our Cúram Security Team, which is essential to ensuring the security and compliance of our health and human services (HHS) IT solutions. This role will work closely with Product Development, CISO, and other security functions to assess, implement, and manage critical security controls, regulatory requirements, and incident response protocols. This position is vital to maintaining a proactive security posture for our products, going beyond daily developer security considerations to encompass a broad range of security practices.Key Responsibilities:
Define, review and validate application security requirements with Product Development teams, ensuring alignment with security standards.
Integrate security features for authentication and authorization, using technologies such as OIDC, SAML SSO and JAAS.
Implement controls to address vulnerabilities, including OWASP Top 10 risks like CSRF, XSS and XXE.
Collaborate with development teams to validate security fixes and promote best practices.
Review codebases for vulnerabilities and assess issues flagged by security scanning tools.
Serve as a primary responder to security issues identified by the Product Security Response Team (PSRT), coordinating efforts for timely remediation.
Interpret and communicate PSRT advisory reports to development teams, providing guidance to address identified vulnerabilities.
Conduct Open Source Software (OSS) vulnerability assessments to maintain secure software dependencies.
Perform SAST and DAST testing with tools like SonarQube and Burp Suite Pro to proactively identify security risks.
Configure and manage security scanning tools to meet project needs.
Conduct internal penetration tests and support external pen testers in assessments of on-premises and Kubernetes-based applications.
Document, assess and address security risks and any deviations from security standards.
Serve as a primary contact for security incidents, handling security-related customer cases and incident responses.
Coordinate with the CISO team for security sign-offs on product releases.
Support ISO 27001 and other certification efforts to ensure compliance with industry standards.
Basic Qualifications:
Security Expertise: Deep knowledge of security vulnerabilities, risks, and mitigation techniques, with experience in vulnerability management frameworks such as CVE and CVSS.
Technical Skills:
Proficiency in SAST, DAST and IAST security scanning tools (e.g., SonarQube, Burp Suite, etc.) and vulnerability scanning tools like JFrog Xray.
Expertise in integrating and managing security tools within CI/CD pipelines using GitHub Advanced Security and Jenkins.
Strong skills in Java, JavaScript, XML, and YAML for application security, configuration management, and security automation.
Solid understanding of Kubernetes security and cloud environment configurations.
Understanding of security requirements for deployments on application servers, including IBM WebSphere Liberty, IBM WebSphere Application Server and Oracle WebLogic Server.
Proficiency in cryptographic algorithms, including encryption, hashing, digital signatures, and secret key management ensuring secure data transmission and storage.
Risk Management Knowledge: Experience managing security risks and ensuring compliance within regulated industries, ideally in HHS.
Collaboration and Communication Skills: Proven ability to work cross-functionally and communicate security requirements with both technical and non-technical stakeholders.
Problem-Solving Skills: Strong analytical abilities to identify, evaluate, and resolve complex security issues.