Location: San Francisco, CA or Remote throughout US

Invitae is dedicated to bringing comprehensive genetic information into mainstream medicine to improve healthcare for billions of people. Our team is driven to make a difference for the patients we serve. We are leading the transformation of the genetics industry, by making genetic testing affordable and accessible for everyone to guide health decisions across all stages of life. 

Our Information Security Team is pushing the envelope on shift left strategies to ensure all software development and IT operations at Invitae adhere to security best practices from inception to implementation.  We’re looking for individuals passionate about furthering this vision and helping to redefine what state of the art means!

What you’ll do:

The Sr. Application Security Engineer will be responsible for: 

  • Ensuring web applications, APIs and cloud services are planned, designed, developed, implemented, and monitored in accordance with the Information Security Policy and associated HITRUST, HIPAA, PCI and SOX security controls
  • Developing, implementing and monitoring enterprise information security architectures and solutions. 
  • Designing and automating assessments through penetration testing and ethical hacking, then analyzing security risks and recommending mitigating and compensating security controls.
  • Working closely with the Security Operations Team to develop new incident response plans and playbooks related to web application security threats
  • Working closely with engineering and QA to ensure security principles are enforced in all stages of the software development lifecycle
  • Participating in source code reviews and providing assessments of changes to application design and architecture prior to release to production
  • Working closely with cross functional teams to embed security, logging, and auditing in all applications hosted within the corporate and cloud environments
  • Performing assessments of security tools, vendors and solutions to support information security roadmap initiatives
  • Developing and maintaining a program to deliver on demand training associated with high risk coding practices and detected software security vulnerabilities
  • Working closely with Security Governance & Compliance to develop and deliver required compliance training related to secure software development best practices
  • Performing internal penetration testing working closely with the engineering team to assess and prioritize discovered security issues and vulnerabilities
  • Maintaining and supporting application security tools, including static and dynamic security analysis solutions, and developing relevant documentation
  • Leading a cross functional team of security and engineering champions to mature software development practices throughout the organization based upon BSIMM guiding principles
  • Working closely with the CISO to develop metrics and dashboards for executive reporting on the progress and status of application security initiatives and objectives

What you bring:

  • Minimum 7+ years of experience in Information Security with an emphasis on application security
  • At least one security related certification, such as CISSP, GIAC, CSSLP, CEH required.  OSCP strongly preferred.
  • Experience with the development, deployment, and automation of application security solutions in an enterprise cloud based environment
  • Deep understanding of OWASP Top 10 and CWE/SANS Top 25
  • Demonstrated proficiency in ethical hacking and white hat penetration testing techniques
  • In-Depth knowledge of web application architecture, API development, and MVS frameworks required
  • Proven ability to manage priorities & deadlines and to work independently in a highly dynamic and diverse environment with multiple concurrent projects happening simultaneously. 
  • Demonstrated experience in investigating security issues related to web application exploits, credential stealing and authentication-based exploits
  • Familiar with threat models for large, distributed systems and cloud-based SaaS infrastructure


  • Experience in DevOps environments and maintaining security in CI/CD processes highly desired
  • Solid understanding of AWS architecture and services
  • Knowledge of technical security control environments and compliance frameworks including CSA CCM, ISO 270001 and SOC 2. Strong understanding of HITRUST highly desired.
  • Hands-on technical proficiency with Burp Suite, Metasploit and Kali Linux highly preferred.
  • Experience in creating detailed solution design documents & diagrams
  • Demonstrated ability to facilitate automation and integration through scripting highly preferred.
  • Demonstrated proficiency in JavaScript, HTML, React/Angular and Python.  Programming experience in Java, Go, Scala, Python, C++ or C highly preferred.

At Invitae, we value diversity and provide equal employment opportunities (EEO) to all employees and applicants without regard to race, color, religion, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of the San Francisco Fair Chance Ordinance.




Apply for this Job

* Required


U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at Invitae are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.