About Fabric Health

About the Role

What You'll Do

• Secure Development & Code Review: Partner with engineering teams to embed security throughout the SDLC across Fabric's Ruby on Rails, Python, React, and Node.js applications. Conduct security-focused code reviews and provide actionable guidance on secure coding practices.
• Threat Modeling & Assessment: Lead threat modeling exercises for new features and architectural changes. Conduct application penetration testing and vulnerability assessments across the platform, prioritizing findings and working directly with engineering to drive remediation.
• DevSecOps & Tooling: Implement and manage SAST and DAST tooling integrated into CI/CD pipelines. Build security guardrails and automated checks that allow engineering to move fast without introducing risk to the platform or patient data.
• Compliance & Risk: Ensure application security practices meet HIPAA, SOC 2, and HITRUST requirements. Assess third-party integrations and APIs for security risk, including EHR integrations with Epic and Cerner.
• Security Education & Culture: Run secure coding training and awareness programs for engineering teams. Serve as the internal subject matter expert on application security and lead response to application-layer security incidents.

Why You Might Be a Good Fit

• You think like an attacker and build like an engineer. You are as comfortable in a codebase as you are writing a threat model.
• You understand that in healthcare, a vulnerability is not just a technical problem. It is a patient safety and compliance problem.
• You prefer building guardrails and education programs over reactive patching.
• You can communicate security risk to engineering teams in a way that drives action, not defensiveness.
• You are energized by building a security practice and shaping how a fast-growing company approaches application security.

This Might Not Be The Right Fit If...

• You are primarily a compliance or GRC-focused security professional and are not comfortable getting into the code.
• You prefer working in a mature, established security program over building and defining one.
• You are not comfortable working closely with engineering as a partner rather than an oversight function.
• You do not have experience in a regulated environment where security decisions carry direct compliance implications.

Your Qualifications

• 5+ years of experience in application security with hands-on experience in security assessments, penetration testing, and secure code review.
• Proficiency in at least one language in Fabric's stack: Ruby, Python, JavaScript/TypeScript, or similar.
• Experience integrating SAST and DAST tooling into CI/CD pipelines.
• Deep understanding of the OWASP Top 10 and common application vulnerabilities.
• Experience with threat modeling methodologies.
• Familiarity with cloud security in AWS environments.
• Understanding of HIPAA or other regulated industry security requirements.

Bonus Points

• Experience securing healthcare applications or working with PHI.
• Familiarity with EHR integration security including FHIR, HL7, Epic, or Cerner APIs.
• Security certifications such as OSCP, GWEB, or BSCP.
• Experience with bug bounty program management.
• SOC 2 or HITRUST audit support experience.

The national pay range for this role is $130,000.00 – $160,000.00 per year. Actual compensation will be determined by factors such as the candidate's geographic market, experience, skills, and qualifications. Certain roles may also be eligible for additional compensation, including a comprehensive benefits package such as medical, dental, vision, unlimited PTO, and a 401(k) plan, stock options and bonuses. If your compensation requirement is greater than our posted range, please still consider applying; a determination can be made based on unique qualifications. Expected compensation ranges for this role may change over time.

At Fabric, we believe that a diverse workforce is essential to our success. We are an equal opportunity employer and are committed to creating an inclusive environment for all employees. We do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, veteran status, or any other legally protected characteristic. We actively encourage individuals from all backgrounds to apply.

Recruitment Fraud Alert: Protect Yourself

• Verify the Domain: Official recruitment emails will only come from addresses ending in @fabrichealth.com or @gem.com. No other domain names are legitimate.
• Official Interview Tools: We use Gem for our recruitment process and Google Meet for all video interviews. Google Meet is always the platform used for your first interview; you will never be sent a Zoom link to set up or conduct an initial interview. All interviews are conducted via video unless specifically stated by our team as an audio call. We never conduct interviews via chat, social media, Skype, or WhatsApp.
• Zoom Usage: Zoom is utilized only for specific meetings set directly by our team for purposes outside of the standard interview process (e.g., coordination or onboarding discussions). It is never the first link you will receive from us.
• Authorized Contact & Texting: Fabric will only contact you if you have submitted an application or if you are connected to a current employee who shared your information with us. We will only send text messages if you have provided explicit authorization and consent, either through your application or while communicating directly with our team. If you have not explicitly authorized us to reach out, treat any SMS or unsolicited outreach as fraudulent and do not respond.
• Sensitive Data: We will never ask you for sensitive personal or financial documents (ID, banking info, SSN) during the application, interview, or candidacy stages. All sensitive data is handled through secure internal systems post-offer.
• Verify the Team: You can reference LinkedIn to verify members of our recruiting team; however, please remain vigilant as scammers may create fraudulent profiles. Always cross-reference the sender's email domain with our official @fabrichealth.com address.