Senior Application Security Engineer II
Quick Summary
Contribute to the advancement of secure-by-design practices within the team’s S-SDLC program, including participation in architecture reviews, design consultations,
Spring Health is a global mental health company on a mission to eliminate every barrier to mental health. We're building a world where getting support is simple, personal, and built around the person, so care can continue through every job, move, health plan, and life stage.
Our AI-native platform helps us deliver personalized support across self-guided tools, coaching, therapy, medication management, and specialty care. With outcomes independently validated by JAMA Network Open and the Validation Institute, Spring Health reaches more than 170 million people worldwide through leading employers, health plans, and partners.
As an AI-native company, we believe technology should expand the reach, quality, and humanity of care. Every Spring Health team member is expected to use AI tools thoughtfully, apply human judgment to AI outputs, and keep building AI fluency in ways that support their role and our mission.
Spring Health is looking for a Senior Application Security Engineer II to join our growing Application Security team. Reporting to the Manager, Application Security, you will play a key role in maturing and expanding our AppSec programs — including established SAST, SCA, and DAST capabilities — while helping shape new initiatives such as a Secure AI Development Lifecycle (ADLC). You will work alongside a team of engineers who have laid a strong foundation, bringing your experience to help take these programs to the next level.
This is a full-time, fully remote position open to candidates residing within the United States. Occasional travel to our NYC headquarters may be required.
Responsibilities
~2 min read- →Contribute to the advancement of secure-by-design practices within the team’s S-SDLC program, including participation in architecture reviews, design consultations, and security guidance across the development lifecycle.
- →Mentor engineers on secure coding practices, AppSec fundamentals, and career growth, fostering a collaborative environment where the team grows stronger together.
- →Facilitate the development of an AI-assisted threat modeling program, spanning risk identification, security architecture, and proactive program maturity, enabling the ability to scale threat modeling across the organization.
- →Contribute to maturing the team’s established SAST, SCA, and DAST programs through rule tuning, coverage improvements, and identifying opportunities to strengthen security controls as the organization scales.
- →Perform security-focused code reviews of internal and open-source libraries, prioritizing findings by exploitability and business impact.
- →Support vulnerability remediation efforts by assessing impact, proposing solutions, and validating fixes in accordance with the team’s established remediation workflows.
- →Identify and implement process improvements and security automation using languages such as Go, Python, JavaScript, or Ruby, including the integration of AI tooling to improve team workflows and program efficiency.
- →Contribute to security assessments of AI-integrated product features, including LLM APIs, vector databases, and RAG pipelines, with a focus on risks such as prompt injection, data leakage, and model supply-chain vulnerabilities.
- →Contribute to the research, design, and development of a Secure AI Development Lifecycle (ADLC) in accordance with the OWASP Top 10 for LLM Applications and emerging adversarial ML guidance.
- →Evaluate and recommend AI-assisted security tooling, including AI-augmented SAST and LLM-powered code review, to improve program coverage and team efficiency.
- Demonstrated improvements to the team’s SAST, SCA, and DAST programs through rule tuning, noise reduction, and coverage expansion within the first 90 days.
- Delivery of a documented AI-assisted threat modeling program and foundational ADLC framework, including defined processes, tooling recommendations, and adoption milestones.
- Consistent adherence to team SLAs for vulnerability triage and remediation, with measurable contributions to reducing time-to-remediation for high and critical findings.
- Delivered security automation and AI tooling integrations that produce measurable improvements to program efficiency or engineering team experience.
- Completed security assessments of AI-integrated product features with documented findings, risk ratings, and remediation guidance delivered to engineering teams.
- 7+ years of professional experience in application security or a closely related security engineering discipline, including experience working on complex, ambiguous problem areas independently.
- Hands-on experience with DAST, SAST, and SCA tools, and manual testing techniques (OWASP, SANS Top 25).
- Demonstrated experience securing CI/CD pipelines with commercial and custom-built tooling.
- Experience with IaaS cloud infrastructure (AWS, Azure, or GCP), container technologies, and service-oriented architectures.
- Security automation experience in at least one of: Go, Python, JavaScript, or Ruby.
- Familiarity with AI/ML security concepts — prompt injection, adversarial inputs, model supply-chain risks, and the OWASP LLM Top 10.
- Working knowledge of AI and LLM tooling (e.g., OpenAI, Anthropic, LangChain, or equivalent) sufficient to assess security risk and integrate into automated workflows.
- Experience implementing controls aligned to NIST CSF, HIPAA, HITRUST, ISO-27001, or SOC-2.
- Strong cross-functional collaboration skills, with experience working alongside engineering, product, and leadership stakeholders to define and advance security priorities and plans.
- Bachelor’s degree in Computer Science, Engineering, MIS, IT, or equivalent work experience.
Nice to Have
~1 min read- 3+ years of demonstrated experience in security architecture, including designing and reviewing security controls across cloud-based, distributed, or service-oriented systems.
- Experience leading or contributing to the development of a formal threat modeling program, including tooling selection, methodology design, and adoption across engineering teams.
- Hands-on experience evaluating or implementing AI security tooling, including AI-augmented testing, LLM security assessments, or automated risk analysis.
- Experience managing a bug bounty or vulnerability disclosure program.
- Experience in digital health, healthcare technology, or other HIPAA-regulated environments.
The target base salary range for this position is $180,000 - $205,500, and is part of a competitive total rewards package including stock options and benefits. Individual pay may vary from the target range and is determined by a number of factors including experience, location, internal pay equity, and other relevant business considerations. We review all employee pay and compensation programs annually using Radford Global Compensation Database at minimum to ensure competitive and fair pay.
What We Offer
~2 min readNote: We have even more benefits than listed here and below, your recruiter will provide more in-depth information as you continue in the interview process. Benefits are subject to individual plan requirements and eligibility criteria.
Location & Eligibility
Listing Details
- Posted
- July 15, 2026
- First seen
- July 15, 2026
- Last seen
- July 15, 2026
Posting Health
- Days active
- 0
- Repost count
- 0
- Trust Level
- 67%
- Scored at
- July 15, 2026
Signal breakdown
Please let Springhealth66 know you found this job on Jobera.
3 other jobs at Springhealth66
View all →Explore open roles at Springhealth66.
Similar Security Engineer jobs
View all →Browse Similar Jobs
Stay ahead of the market
Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.
No spam. Unsubscribe at any time.