Title: Senior Security Engineer
Team: Engineering
Location: Remote-Friendly
About the Role:
We're looking for a Senior Security Engineer to lead application security efforts across our product portfolio, spanning web applications, APIs, mobile, embedded software, and shipped product deliverables. You'll be embedded in the engineering organization, partnering with product and platform teams to bake security into every phase of the software development lifecycle, not bolt it on at the end.
A critical part of this role is developing and maintaining a deep understanding of our product attack surface, how components interact, what's exposed, and where real risk lives. That understanding is what transforms security tooling output into prioritized, meaningful action across threat modeling, vulnerability management, and supply chain risk.
This is a high-impact role for someone who is equally comfortable reading source code, threat modeling a new microservice, and coaching a developer through a secure code review.
What You'll Do
Application Security & Secure SDLC
- Own and evolve the AppSec program across the entire SDLC โ from design reviews to post-deployment monitoring โ for web, API, mobile, and shipped product deliverables
- Build and maintain a living model of the product attack surface โ mapping trust boundaries, data flows, exposed interfaces, and high-value targets โ and use it to drive prioritization across all security workstreams
- Conduct threat modeling and architecture security reviews for new features, services, and product releases across all delivery channels
- Perform manual and automated secure code reviews across multiple languages (e.g. Python, Go, TypeScript, C/C++)
- Integrate and tune SAST, DAST, and SCA tooling within CI/CD pipelines (GitHub Actions, Jenkins, or equivalent)
- Triage and drive remediation of vulnerabilities surfaced through scanning, bug bounty, and pen tests
- Develop and maintain a library of security standards, patterns, and guardrails applicable across product types
Third-Party & Supply Chain Security
- Own the Software Bill of Materials (SBOM) program โ define generation, storage, and consumption processes across all product lines
- Establish and maintain policies for evaluating, onboarding, and continuously monitoring third-party dependencies and open-source components
- Triage and prioritize CVEs and license risks surfaced through SCA tooling, driving timely remediation with engineering teams
- Define processes for responding to upstream supply chain incidents (e.g. compromised packages, malicious dependencies)
- Collaborate with procurement and legal to assess security risk of third-party vendors and integrations
- Contribute to industry frameworks and internal standards around software supply chain security (SLSA, NIST SSDF, or equivalent)
- Act as a trusted security advisor embedded within product engineering squads
- Lead security training, lunch-and-learns, and developer education initiatives
- Collaborate with the Platform team on secrets management, identity, and access controls
- Work with the GRC function to translate compliance requirements (SOC 2, ISO 27001) into engineering controls
Incident & Vulnerability Management
- Participate in the security on-call rotation and lead security incident response investigations
- Drive root cause analysis and communicate findings clearly to engineering leadership
- Build and maintain metrics and dashboards to track the health of the AppSec program
- Participate as a member of the Cybersecurity council, representing development in the organization. Report weekly on new threat intelligence as it relates to product security, and any actions that are being taken to remediate new findings.
What We're Looking For
Required
ยท 5+ years of experience in security engineering, with a strong AppSec focus
ยท Hands-on experience with threat modeling frameworks (STRIDE, PASTA, or similar)
ยท Proficiency with common AppSec tooling: Semgrep, Snyk, Burp Suite, OWASP ZAP, or equivalents
ยท Deep understanding of web application vulnerabilities (OWASP Top 10, API security, auth/authz flaws)
ยท Ability to read and reason about code in at least two languages; prior development experience a plus
ยท Experience with software supply chain security โ SBOM generation and analysis (CycloneDX, SPDX), SCA tooling, and dependency risk management
ยท Strong written and verbal communication skills โ you can explain risk to both engineers and executives
Preferred
ยท Experience with cloud-native environments (AWS, GCP, or Azure) and container/Kubernetes security
ยท Familiarity with software supply chain frameworks such as SLSA, NIST SSDF, or OpenSSF Scorecards
ยท Contributions to open-source security tooling or security research
ยท Relevant certifications: OSCP, CSSLP, GWEB, or similar
We recognize that candidates bring diverse experiences and backgrounds. If you donโt meet every requirement, we still encourage you to apply! Many strong candidates donโt check every box. We value potential, growth, and impact as much as experience.
Who You Are
ยท Experienced security professional with a strong background in application security and secure software development.
ยท Skilled at threat modeling, secure code reviews, and identifying real-world risks across complex systems.
ยท Knowledgeable in web, API, mobile, and software supply chain security best practices.
ยท Comfortable working with developers to embed security throughout the SDLC.
ยท Proficient with security testing and vulnerability management tools, including SAST, DAST, and SCA solutions.
ยท Strong communicator who can translate technical risks into actionable recommendations.
ยท Collaborative, proactive, and driven to improve both product security and engineering security culture.
ยท Passionate about continuous learning, emerging threats, and helping teams build secure products at scale.
About Mach7:
Mach7 Technologies helps healthcare organizations bring all their medical images together in one place so they can be easily accessed, shared, and used to support patient care. Our enterprise imaging solutions, including a vendor-neutral archive (VNA), enterprise PACS, the eUnity enterprise diagnostic viewer, and teleradiology workflows, consolidate imaging from across the enterprise into a single, accessible source of truth. Built on open standards, including DICOM and a configurable HL7 engine, and free from proprietary data lock-in, our technology lets providers store, view, and share images on their own terms. The result is a simpler, more connected imaging environment that puts data ownership back where it belongs: with the people delivering care. Your data, your infrastructure, your choice.
AI Expectations
ยท Integrate AI into daily work โ leverage AI tools to enhance efficiency, elevate quality, and support smarter, faster decision-making.
ยท Apply critical human judgment to AI output โ review, validate, and take full accountability for AI-assisted work, ensuring accuracy and reliability.
ยท Continuously improve through AI โ proactively identify opportunities to optimize processes, rethink workflows, and challenge existing approaches rather than maintaining the status quo.
ยท Use AI responsibly and ethically โ safeguard sensitive information, adhere to company guidelines, and actively identify risks such as bias, inaccuracies, or misuse.
CLIMBS Culture Code
At Mach7, our culture is rooted in CLIMBS, a mindset that guides how we show up, collaborate, and grow each day. More than just a set of values, CLIMBS represents the standard we hold ourselves to and the way we approach our work, our teams, and our impact.
C โ Customer First
Every decision starts with the customerโs perspective. Success = customer outcomes and satisfaction.
L โ Learn & Grow
Curiosity keeps us climbing. We embrace continuous learning, share knowledge freely, and invest in each otherโs development.
I โ Innovate for Impact
We value meaningful, outcome-driven innovation over activity. We challenge the status quo and align behind real customer benefit.
M โ Minimize Complexity & Move
As complex as needed but no more. Agility beats bureaucracy. We move fast and stay focused on what matters.
B โ Build Good Sh*t
(Yes, intentionally memorable.) Extreme ownership, craftsmanship, and pride in high-quality work.
S โ Everyone Sells
Not just SalesโEngineering, Product, Support, Finance, IT. We align behind commercial success to enable company success