Spring Health

Senior Application Security Engineer II

Spring Health · Remote · Today
Remote senior GoJavaScriptPython
Apply now

About the role

Our mission: eliminating every barrier to mental health.

Spring Health is a global mental health company on a mission to eliminate every barrier to mental health. We're building a world where getting support is simple, personal, and built around the person, so care can continue through every job, move, health plan, and life stage.

Our AI-native platform helps us deliver personalized support across self-guided tools, coaching, therapy, medication management, and specialty care. With outcomes independently validated by JAMA Network Open and the Validation Institute, Spring Health reaches more than 170 million people worldwide through leading employers, health plans, and partners.

As an AI-native company, we believe technology should expand the reach, quality, and humanity of care. Every Spring Health team member is expected to use AI tools thoughtfully, apply human judgment to AI outputs, and keep building AI fluency in ways that support their role and our mission.

Spring Health is looking for a Senior Application Security Engineer II to join our growing Application Security team. Reporting to the Manager, Application Security, you will play a key role in maturing and expanding our AppSec programs — including established SAST, SCA, and DAST capabilities — while helping shape new initiatives such as a Secure AI Development Lifecycle (ADLC). You will work alongside a team of engineers who have laid a strong foundation, bringing your experience to help take these programs to the next level.

This is a full-time, fully remote position open to candidates residing within the United States. Occasional travel to our NYC headquarters may be required.

What you’ll do:

  • Contribute to the advancement of secure-by-design practices within the team’s S-SDLC program, including participation in architecture reviews, design consultations, and security guidance across the development lifecycle.
  • Mentor engineers on secure coding practices, AppSec fundamentals, and career growth, fostering a collaborative environment where the team grows stronger together.
  • Facilitate the development of an AI-assisted threat modeling program, spanning risk identification, security architecture, and proactive program maturity, enabling the ability to scale threat modeling across the organization.
  • Contribute to maturing the team’s established SAST, SCA, and DAST programs through rule tuning, coverage improvements, and identifying opportunities to strengthen security controls as the organization scales.
  • Perform security-focused code reviews of internal and open-source libraries, prioritizing findings by exploitability and business impact.
  • Support vulnerability remediation efforts by assessing impact, proposing solutions, and validating fixes in accordance with the team’s established remediation workflows.
  • Identify and implement process improvements and security automation using languages such as Go, Python, JavaScript, or Ruby, including the integration of AI tooling to improve team workflows and program efficiency.
  • Contribute to security assessments of AI-integrated product features, including LLM APIs, vector databases, and RAG pipelines, with a focus on risks such as prompt injection, data leakage, and model supply-chain vulnerabilities.
  • Contribute to the research, design, and development of a Secure AI Development Lifecycle (ADLC) in accordance with the OWASP Top 10 for LLM Applications and emerging adversarial ML guidance.
  • Evaluate and recommend AI-assisted security tooling, including AI-augmented SAST and LLM-powered code review, to improve program coverage and team efficiency.

What success looks like:

  • Demonstrated improvements to the team’s SAST, SCA, and DAST programs through rule tuning, noise reduction, and coverage expansion within the first 90 days.
  • Delivery of a documented AI-assisted threat modeling program and foundational ADLC framework, including defined processes, tooling recommendations, and adoption milestones.
  • Consistent adherence to team SLAs for vulnerability triage and remediation, with measurable contributions to reducing time-to-remediation for high and critical findings.
  • Delivered security automation and AI tooling integrations that produce measurable improvements to program efficiency or engineering team experience.
  • Completed security assessments of AI-integrated product features with documented findings, risk ratings, and remediation guidance delivered to engineering teams.

What you’ll bring:

  • 7+ years of professional experience in application security or a closely related security engineering discipline, including experience working on complex, ambiguous problem areas independently.
  • Hands-on experience with DAST, SAST, and SCA tools, and manual testing techniques (OWASP, SANS Top 25).
  • Demonstrated experience securing CI/CD pipelines with commercial and custom-built tooling.
  • Experience with IaaS cloud infrastructure (AWS, Azure, or GCP), container technologies, and service-oriented architectures.
  • Security automation experience in at least one of: Go, Python, JavaScript, or Ruby.
  • Familiarity with AI/ML security concepts — prompt injection, adversarial inputs, model supply-chain risks, and the OWASP LLM Top 10.
  • Working knowledge of AI and LLM tooling (e.g., OpenAI, Anthropic, LangChain, or equivalent) sufficient to assess security risk and integrate into automated workflows.
  • Experience implementing controls aligned to NIST CSF, HIPAA, HITRUST, ISO-27001, or SOC-2.
  • Strong cross-functional collaboration skills, with experience working alongside engineering, product, and leadership stakeholders to define and advance security priorities and plans.
  • Bachelor’s degree in Computer Science, Engineering, MIS, IT, or equivalent work experience.

Nice to have:

  • 3+ years of demonstrated experience in security architecture, including designing and reviewing security controls across cloud-based, distributed, or service-oriented systems.
  • Experience leading or contributing to the development of a formal threat modeling program, including tooling selection, methodology design, and adoption across engineering teams.
  • Hands-on experience evaluating or implementing AI security tooling, including AI-augmented testing, LLM security assessments, or automated risk analysis.
  • Experience managing a bug bounty or vulnerability disclosure program.
  • Experience in digital health, healthcare technology, or other HIPAA-regulated environments.

The target base salary range for this position is $180,000 - $205,500, and is part of a competitive total rewards package including stock options and benefits. Individual pay may vary from the target range and is determined by a number of factors including experience, location, internal pay equity, and other relevant business considerations. We review all employee pay and compensation programs annually using Radford Global Compensation Database at minimum to ensure competitive and fair pay. 

Benefits provided by Spring Health:

Note: We have even more benefits than listed here and below, your recruiter will provide more in-depth information as you continue in the interview process. Benefits are subject to individual plan requirements and eligibility criteria.

  • Health, Dental, Vision benefits start on your first day at Spring. You and your dependents also receive access to One Medical accounts HSA and FSA plans are also available, with Spring contributing up to $1K for HSAs, depending on your plan type.
  • Employer sponsored 401(k) match of up to 2% for retirement planning
  • A yearly allotment of no cost visits to the Spring Health network of therapists, coaches, and medication management providers for you and your dependents.
  • We offer competitive paid time off policies including vacation, sick leave and company holidays.
  • At 6 months tenure with Spring, we offer parental leave of 18 weeks for birthing parents and 16 weeks for non-birthing parents.
  • Access to Noom, a weight management program—based in psychology, that’s tailored to your unique needs and goals. 
  • Access to fertility care support through Carrot, in addition to $4,000 reimbursement for related fertility expenses.
  • Access to Wellhub,  which connects employees to the best options for fitness, mindfulness, nutrition, and sleep in one subscription
  • Access to BrightHorizons, which provides sponsored child care, back-up care, and elder care
  • Up to $1,000 Professional Development Reimbursement a year.
  • $200 per year donation matching to support your favorite causes.

Not sure if you meet every requirement? Research shows that women and people from historically underrepresented communities often hesitate to apply for roles unless they meet every qualification compared to other similarly-qualified candidates. At Spring Health, we are committed to fostering a workplace where everyone feels valued, empowered, and supported to Thrive. If this role excites you, we encourage you to apply.

Our privacy policy: https://springhealth.com/privacy-policy/

Spring Health is proud to be an equal opportunity employer. We do not discriminate in hiring or any employment decision based on race, color, religion, national origin, age, sex, marital status, ancestry, disability, genetic information, veteran status, gender identity or expression, sexual orientation, pregnancy, or other applicable legally protected characteristic. We also consider qualified applicants regardless of criminal histories, consistent with applicable legal requirements. Spring Health is also committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans. If you have a disability or special need that requires accommodation, please let us know.

Tech stack

GoJavaScriptPython
Level senior
Arrangement Remote
Location Remote
Posted Today
.*
findatechjob

Tech jobs straight from company career pages. No recruiters, no middlemen, no spam.

© 2026 findatechjob · Logos provided by Logo.dev