Job description
Senior Application Security Engineer
Virta Health is pioneering a new standard of care for people to reclaim their lives. We are in the midst of a public health crisis: obesity rates are at an all-time high and over half of US adults have type 2 diabetes or prediabetes, and despite billions spent on new treatments, outcomes are largely worse. Virta reverses these diseases and delivers life-changing results by pairing individualized nutrition with ongoing care from a clinical support team. We have raised over $350 million from top-tier investors, and partner with the largest health plans, employers, and government organizations to help their employees and members restore their health and take back their lives.
You’ll be the dedicated Application Security Engineer in a growing Foundations team. As we rapidly scale our impact, we’re seeking a passionate and experienced security leader to build and mature our application security program. You’ll have the autonomy to define strategy, implement best practices, and embed security principles across the org. If you thrive on building secure systems, automation, fostering a security-conscious culture, and making a tangible difference in protecting sensitive health information, this role is for you.
What You’ll Do
As our Senior Application Security Engineer, you will be the driving force behind securing Virta’s applications and platform, directly contributing to the trust our members and partners place in us. You’ll collaborate across teams to ensure security is a seamless part of our development lifecycle.
Own and Enhance Security Design: Assess our current security controls within GCP and Kubernetes, identify areas for improvement, and drive the maturation of our security posture from good to great.
Champion Secure Development: Partner closely with Engineering, Product, and Platform teams to integrate security best practices early and often (“shift-left”) into the software development lifecycle.
Build and Automate: Design, implement, and manage security tooling and automation to streamline vulnerability detection, remediation, and compliance verification. Replace manual processes with efficient, automated solutions.
Refine Access Control: Evolve our identity and access management (IAM) strategy, ensuring least-privilege access and robust auditing capabilities across our systems.
Strengthen Network Security: Continuously improve our network security architecture, policies, and controls within our cloud environment.
Develop Clear Standards: Establish, document, and communicate practical security policies, standards, and guidelines for engineering teams.
Lead Security Initiatives: Drive vulnerability management efforts and enhance our incident response preparedness, ensuring we are ready to handle potential threats effectively.
Cultivate Security Awareness: Act as a security evangelist, promoting security awareness and best practices throughout the engineering organization.
Your First 90 Days
Joining a new company and stepping into a foundational role takes time. Here’s what you can expect as you get started and begin making your mark:
Immerse Yourself: Your initial focus will be on understanding Virta’s culture, our mission, our engineering workflows, and the nuances of our cloud platform (GCP/Kubernetes). You’ll connect with key engineers and stakeholders across different teams.
Learn the Landscape: You’ll dive into our existing systems, CI/CD pipelines, and current security tooling and configurations to get a clear picture of where we stand today.
Assess & Identify Opportunities: Leveraging your expertise, you’ll begin evaluating our current security posture, including critical areas like our IAM implementation (RBAC), data security practices, network controls, and existing security policies. You’ll identify the highest-impact areas for initial improvement.
Prioritize & Plan: Collaborating with engineering leadership and relevant teams, you’ll help shape the initial priorities for application security, translating your assessments into a tangible action plan or roadmap.
Start Building: You won’t just be planning! You’ll quickly transition to hands-on work, likely starting with foundational projects such as refining IAM roles, enhancing specific security configurations, or beginning to develop key security automation or documentation.
Who You Are
Deep Application Security Expertise: Significant hands-on experience in application security, including threat modeling, secure coding practices, vulnerability management, and security testing (SAST, DAST, IAST).
Cloud Security Proficiency: Strong understanding and practical experience securing cloud-native applications and infrastructure, particularly within cloud environments (GCP strongly preferred).
Maturation Mindset: Proven ability to assess existing security designs and strategically mature them over time, moving beyond basic implementations to robust, resilient systems.
Automation & IaC Skills: Experience building security automation and implementing security controls using Infrastructure as Code (IaC) principles (e.g., Terraform).
Collaboration & Influence: Excellent communication skills with the ability to clearly articulate complex security concepts to diverse audiences and influence technical direction across teams. You’re comfortable advocating for security best practices.
Autonomy & Ownership: A proactive, self-directed approach with a strong sense of ownership. You can identify gaps, propose solutions, and drive them to completion independently.
Pragmatic Approach: Ability to balance security requirements with business needs and development velocity, finding practical solutions that enhance security without hindering progress.
Regulated Environment Experience (Bonus): Experience working in healthcare, fintech, or other highly regulated industries is a plus.
Security Fundamentals: Solid grasp of networking concepts, identity management (IAM), encryption, and common web application vulnerabilities (e.g., OWASP Top 10).
Values-driven culture
Virta’s company values drive our culture, so you’ll do well if:
You put people first and take care of yourself, your peers, and our patients equally
You have a strong sense of ownership and take initiative while empowering others to do the same
You prioritize positive impact over busy work
You have no ego and understand that everyone has something to bring to the table regardless of experience
You appreciate transparency and promote trust and empowerment through open access of information
You are evidence-based and prioritize data and science over seniority or dogma
You take risks and rapidly iterate
Is this role not quite what you’re looking for? Join our Talent Community and follow us on Linkedin to stay connected!
As part of your duties at Virta, you may come in contact with sensitive patient information that is governed by HIPAA. Throughout your career at Virta, you will be expected to follow Virta’s security and privacy procedures to ensure our patients’ information remains strictly confidential. Security and privacy training will be provided.
#LI-remote
Virta has a location based compensation structure. Starting pay will be based on a number of factors and commensurate with qualifications & experience. For this role, the compensation range is $192,026 - $248,000. Information about Virta’s benefits is on our Careers page at: https://www.virtahealth.com/careers .
As part of your duties at Virta, you may come in contact with sensitive patient information that is governed by HIPAA. Throughout your career at Virta, you will be expected to follow Virta’s security and privacy procedures to ensure our patients’ information remains strictly confidential. Security and privacy training will be provided.
As a remote-first company, our team is spread across various locations with office hubs in Denver and San Francisco. We currently do not hire in the following states: AK, AR, DE, HI, ME, MS, NM, OK, SD, VT, WI.
#LI-remote
