Job Description
Company: SIGHTVIEW SOFTWARE LLC
Role: Security Engineer I (Application Security)
Department: IT Security & Operations
Location: India, Remote
Job Type : Full-time
About the company:
Sightview Software LLC is a healthcare technology company providing intelligent EHR and practice management solutions built exclusively for eye care. We support ophthalmology, optometry, and optical practices with software designed to streamline clinical workflows, surgical planning, patient engagement, and business operations. Our platform includes EHR, practice management, optical management, ASC solutions, MIPS reporting, and revenue cycle management services—helping eye care providers focus on delivering exceptional patient care while improving efficiency and financial performance.
For further information, kindly read more on About us
What would you do?
About the role:
You will partner closely with engineering teams building applications in PHP, DOT Net (.NET) and other common languages, embed security into every stage of the SDLC, be part of incident response, and ensure our platform meets the rigorous compliance demands of the healthcare industry. This is not a governance-only seat. We need a practitioner who can run a penetration test in the morning and present an AppSec roadmap to the Security and Engineering team[MV1.1] in the couple of days. You will have real ownership and direct access to leadership from day one.
Key Responsibilities:
- Assist in shaping, enhancing, and maturing the organization’s Application Security program, contributing to policies, standards, secure SDLC frameworks, and developer security training initiatives.
- Assist the VP Information Security and IT and IT in developing and maturing the broader security strategy, including AppSec roadmap, risk registers, and executive reporting.
- Lead and execute web application penetration testing, API security assessments, code reviews, testing of desktop applications, and threat modeling across all product lines.
- Drive end-to-end Incident Response for application-layer security events — from triage and containment through remediation and post-mortem.
- Embed security into CI/CD pipelines — integrate SAST, DAST, SCA, and secrets scanning tooling into development workflows.
- Conduct OSINT reconnaissance and external attack surface management to proactively identify exposure before adversaries do.
- Own vulnerability management — triage, prioritize, and track remediation to closure in partnership with engineering.
- Support compliance activities for HIPAA, SOC 2 Type II, HITRUST, FedRAMP, and ISO 27001, including evidence preparation, audit support, and gap assessments.
- Evaluate third-party security tooling, vendor assessments, and security architecture reviews for new product integrations.
Skills and qualifications (mandatory):
- 5–8 years of hands-on application security experience, ideally within a Healthcare SaaS or regulated health-tech environment.
- Proven track record conducting full-scope web application and API penetration tests, with the ability to document findings for both technical and executive audiences.
- Proficiency with Kali Linux and the offensive security toolset — Metasploit, Nmap, Nikto, SQLmap, Hydra, and related tools.
- Hands-on experience with Burp Suite Pro for web application assessment and vulnerability chaining.
- Demonstrated use of OSINT tools — Maltego, theHarvester, Shodan, Recon-ng, SpiderFoot, FOCA — for external attack surface discovery.
- Development or deep security review experience in one or more of: C, PHP (Laravel), or Python.
- Practical AWS security experience — IAM policy review, S3 misconfiguration assessment, VPC security, CloudTrail/GuardDuty analysis, and AWS-native security tooling.
- Experience building or significantly contributing to an Application Security program, including secure SDLC and threat modeling (STRIDE or PASTA).
- Incident Response experience as a lead or key contributor — including application-layer breaches, API abuse, and data exfiltration scenarios.
- Working knowledge of OWASP Top 10, SANS CWE Top 25, and NIST 800-53 security controls.
Category
Tools
Offensive / Pen Test
Burp Suite Pro, Kali Linux, Metasploit, OWASP ZAP, Nmap, Nikto, SQLmap
OSINT
Maltego, Shodan, theHarvester, Recon-ng, SpiderFoot, FOCA
AppSec Pipeline
Semgrep, Snyk, Trivy, Checkov, Bitbucket, SonarQube
Cloud Security
AWS Security Hub, GuardDuty, CloudTrail, IAM Access Analyzer, Prowler, ScoutSuite
Languages
PHP (Laravel), Dot Net (.Net)
GRC / Compliance
Vanta, Drata, Hyperproof, or equivalent GRC platforms (preferred)
Skills and qualifications (preferred):
- Relevant certifications – Good to have, Not REQUIRED: OSCP, CEH, GWAPT, GWEB, GPEN, CISSP, or equivalent hands-on security certifications.
- Experience participating as a security researcher.
- Familiarity with healthcare data standards: HL7, FHIR, and the security implications of EHR/PHI data flows.
- Prior experience as a solo or first-hire AppSec engineer, comfortable building structure in ambiguous environments.
- Contributions to open-source security tooling, CVE disclosures, or published security research.
