Hims & Hers Health, Inc. (better known as Hims & Hers) is a multi-specialty telehealth platform building a virtual front door to the healthcare system. Hims & Hers connects consumers to licensed healthcare professionals, enabling people to access high-quality medical care—from wherever is most convenient—for numerous conditions related to primary care, mental health, sexual health, skincare, and more. Launched in November 2017, the platform also offers thoughtfully created and curated health and wellness products. With products and services available across all 50 states and Washington, D.C., Hims & Hers’ mission is to make it easier for all Americans to access affordable care and treatment for conditions that impact their daily lives. In January 2021, the company was listed on the NYSE at an initial valuation of $1.6 billion and is traded under the ticker symbol “HIMS”. To learn more about our brand and offerings, you can visit forhims.com and forhers.com.

The Application Security Engineer will build and maintain secure distributed systems related to identity and access management, microservice security, web/mobile security, and much more. They will also integrate security features, tools, and validation/detection processes into the product development lifecycle. This role will work closely with Product and Engineering teams to develop tools and processes to automate the identification of security flaws, and identify effective mitigating controls where feasible in the application stack to build resilience into the products. The candidate will partner with Engineering Teams to diagnose, document, and remediate application security vulnerabilities. Additional responsibilities include evaluating, recommending, and implementing application security related solutions in an automated continuous integration/deployment environment. Further, the engineer must be comfortable leading and training developers in secure SDLC best practices. Candidates with strong communication, excellent creative problem-solving skills and experience working on cloud-based products will be most successful in this role. 

Responsibilities:

  • Build internal libraries and APIs that help our engineering teams leverage best practices in data security.
  • Collaborate with Security, Engineering, Product, and Data teams to incorporate strong security controls, apply security best practices in our development life cycle, and mitigate risks and security vulnerabilities.
  • Promote and drive the implementation of a data security architecture that supports Engineering’s and business’ goals and deliverables, through strategy, design, requirements, and code.
  • Implement technical prototypes to understand new technologies as well as identify and manage risks for projects in active development.
  • Contribute to improving the organization’s data security patterns, security controls and best practices.
  • Mentor team members and engineers on security best practices.

You are a good fit if you have:

  • 5+ years of software development experience.
  • Experience creating public or internal APIs.
  • A passion for and a solid understanding of what it takes to build and maintain secure, reliable, observable, and highly scalable systems in collaboration with multiple teams.
  • Experience building software with Java, Kotlin, Golang, Rust, Python, or any other concurrency-friendly language.
  • Ability to collaborate and provide clear point of view to multiple teams, ensuring results are aligned with company business objectives and delivered within planned timelines.
  • Outstanding written and oral communications skills with the ability to develop internal processes and articulate assessment results.

Preferred skills:

  • Prior experience in cloud-based product environments.
  • Prior experience with modern application architecture (API based), and Web / Mobile applications preferred.
  • Bachelor's degree in a relevant technical field/equivalent knowledge and experience.
  • Experience with PostgreSQL or other relational databases.
  • Familiarity with Cybersecurity Frameworks including OWASP Top 10 & ASVS, NIST 800-53, NIST CSF, CIS Top 20, MITRE ATT&CK, etc.
  • Knowledge of cryptography, authentication/authorization, SSO, federation protocols and standards (SSL/TLS, SAML, OAuth2, JWT), microservice security, among others.
  • Experience with implementing security controls for data governance laws such as HIPAA, SOC2, PCI, and GDPR.
  • Certified in at least one or more of the following security certifications: CISSP, CISM, CEH, GCIH, GCSA, GCPN, GSEC.

Hims is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Hims considers all qualified applicants in accordance with the San Francisco Fair Chance Ordinance.

Apply for this Job

* Required

  
  


Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in hims & hers’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.


Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.