Hi, we're Oscar. We're hiring a Senior Security Engineer, Application Security to join our Security team.

Oscar is the first health insurance company built around a full stack technology platform & a focus on serving our members. We started Oscar in 2012 to create the kind of health insurance company we would want for ourselvesone that behaves like a doctor in the family.

About the role

As a Senior Security Engineer, you will collaborate closely with cross-functional teams to proactively identify, address, & resolve security concerns across Oscar's comprehensive tech infrastructure, encompassing Web Applications, Mobile Apps, Networks, & Cloud systems. Your primary objective will be to safeguard classified information by thoroughly assessing & examining Oscar's applications & infrastructure by executing & documenting technical assessments based on esteemed industry standards (OWASP) & best practices, meticulously pinpointing security vulnerabilities within Oscar's owned assets. In addition, you will be responsible for presenting identified risks & providing guidance on best practices to prevent future vulnerabilities.

You will report to the Manager, Security Architecture.

Work Location

Oscar is a blended work culture where everyone, regardless of work type or location, feels connected to their teammates, our culture & our mission.

This is a hybrid role in our New York office (in Hudson Square).  You will be expected to come into the office at least two days each week & work-from-home on other days. #LI-Hybrid

Pay Transparency

The base pay for this role is: $144,000 - $189,000 per year. You are also eligible for employee benefits, participation in Oscars unlimited vacation program, company equity grants & annual performance bonuses.

Responsibilities

• Collaborate closely with cross-functional teams to proactively identify, address, & resolve security concerns across Oscar's comprehensive tech infrastructure, encompassing Web Applications, Mobile Apps, Networks, & Cloud systems, including proposing enhanced controls & procedural strategies to mitigate technical risks 
• Demonstrate an in-depth comprehension of Oscar's technological landscape
• Collaborate effectively with Security Leadership, providing insights into technical issues & their potential impacts
• Engage in multiple-layers of oscars Technology stack to design security measures around protecting Oscars systems
• Simplify intricate security concerns into actionable steps for effective remediation or risk mitigation
• Compliance with all applicable laws & regulations
• Other duties as assigned

What you may work on

Some sample projects in this role may include:

• Execute & meticulously document technical assessments based on esteemed industry standards (OWASP) & best practices, meticulously pinpointing security vulnerabilities within Oscar's owned assets. This includes conducting Threat Modeling, Architecture/Design Reviews, Application & Cloud Security Testing (Red Teaming), & Manual Vulnerability Assessments.
• Spearhead internal workshops involving cross-functional teams to analyze outcomes from technical assessments, devising comprehensive plans to mitigate identified risks effectively.
• Define robust hardening & secure design standards, leveraging them to conduct thorough application security reviews in collaboration with developer teams.

Qualifications

• 3+ years experience in Technology related field 
• 2+ years experience in Security

Bonus Points

• Familiarity with industry standards & compliance frameworks (such as SOC, SOX., NIST,, HIPAA) & experience in ensuring organizational adherence to these standards.
• Hands-on experience in developing Web/Mobile Applications.
• Hands-on experience in evaluating Web Applications, Cloud Environments, Mobile Applications, & Network security.
• Proficiency in industry-standard methodologies & frameworks for security testing (OWASP, OSSTM, PTES).
• Proficient familiarity with AWS & GCP.
• Experience utilizing containers & container orchestration technology (Mesos & Kubernetes).
• Possession of industry-recognized certifications pertaining to application/offensive security (OSCP, OSCE, OSWP, OSWA, OSWE, CSSLP).
• Experience in assessing containers for potential security vulnerabilities.
• Experience Threat Modeling