At Nuna, our mission is to make high-quality healthcare affordable for everyone. We are dedicated to tackling one of our nation’s biggest problems with ingenuity, creativity, and a keen moral compass.
Nuna is committed to simple principles: a rigorous understanding of data, modern technology, and most importantly, compassion and care for our fellow human. We want to know what really works, what doesn't—and why.
Nuna partners with healthcare payers, including government agencies and health plans, to turn data into learnings and information into meaning.
The Security team at Nuna works to ensure the security of infrastructure, our people, our data, and our code. We serve Nuna as builders, protectors, educators, and advisors. We utilize compassion and empathy to identify how best to secure Nuna’s data and people by understanding the requirements from teams and proactively identifying risks that our company faces. We are passionate about creating solutions that support & secure the company and educating and empowering everyone to build and design secure solutions themselves.
You’ll be part of our Product Security team, which is responsible for working with our data engineering teams to ensure our products are built with security in mind using secure-by-default frameworks. With millions of healthcare records to secure, product security is critical to safeguard this data and prevent any breaches that could impact millions of American lives. You will be involved in all stages of the Software Development Life Cycle (SDLC) to ensure secure product development.
There are various products that you will be supporting here, each with their own unique and exciting challenges. Some key aspects that we’d work with our product teams on include:
- Internal threat modeling on our environment, including, but not limited to infrastructure, products, and applications, as well as engaging with product teams to provide training and working sessions to better secure our products and enabling the teams to perform their own threat modeling.
- Managing our external bug bounty program by triaging incoming vulnerabilities, risk rating and prioritizing them, and working with the product teams to resolve them.
- Identifying vulnerability classes to eliminate future occurrence across all code base.
- Improving our CI/CD pipeline by baking in security checks without slowing down the product teams.
- Implementing Static and Dynamic Analysis tools in our existing SDL processes.
- Performing security code reviews and architecture design reviews.
- Evangelizing the usage of secure by default frameworks by helping product teams implement them and catch any deviations.
- Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns.
- Building an Application Security pipeline where all vulnerabilities identified at different stages of SDL (either by automated methods or manual reviews) are tracked and measured appropriately to further improve the security posture of the company.
We are looking to bring on someone with the following skillsets:
- Software development experience, and deep familiarity with Secure Development Lifecycles.
- Proficiency in at least one of the following languages - Python, Go, Bash.
- Web fundamentals, including but not limited to the understanding of OWASP Top 10 Web Application vulnerabilities.
- Understanding of Single Page Applications (SPAs) and security controls associated with them.
- Experience with dynamic/static analysis tools.
- Practical experience with security architecture, design and implementation in large scale products and cloud infrastructure.
- Experience in writing understandable, testable, secure code with an eye towards maintainability.
- Ability to lead technical architecture discussions and help drive technical decisions.
- Knowledge of authentication mechanisms like SAML, OAuth, etc.
These are great to have, but we understand not everyone comes from the same background!
- AWS or GCP experience
- Experience with some of the newer technologies like Containers, Microservices, Serverless, Kubernetes
Nuna is an Equal Employment Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability, genetics and/or veteran status.