Application Security Engineer

About This Role

Tile Health handles some of the most sensitive data in existence-patient health information-and our application layer is the primary attack surface. The Application Security Engineer will work directly with engineering teams to identify and remediate vulnerabilities, establish secure coding standards, and build automated security checks into every stage of the development process. This is a high-impact role for someone who combines deep security knowledge with the ability to partner effectively with developers.

What You'll Do

• Conduct secure code reviews and application-level threat modeling for new features and architectural changes
• Integrate SAST, DAST, and SCA tools into CI/CD pipelines to automate vulnerability detection across the codebase
• Develop and maintain secure coding guidelines tailored to Tile Health’s technology stack (TypeScript, Python, React)
• Triage and manage application vulnerabilities from discovery through remediation, working with engineering teams to prioritize fixes
• Lead security-focused design reviews for features that handle PHI, authentication, or external API integrations
• Conduct periodic penetration testing of web applications and APIs, documenting findings and tracking remediation

What We're Looking For

• 4+ years of application security engineering experience with production web applications and APIs
• Strong understanding of OWASP Top 10, common web vulnerability classes, and secure development practices
• Hands-on experience with security testing tools (Burp Suite, Semgrep, Snyk, SonarQube, or similar)
• Proficiency in at least one programming language (TypeScript, Python, Go, or Java) sufficient to conduct meaningful code reviews
• Experience implementing security automation in CI/CD pipelines (GitHub Actions, GitLab CI, or Jenkins)

Nice to Have

• OSCP, GWAPT, or similar offensive security certification
• Experience with healthcare application security and HIPAA technical safeguard requirements
• Background in API security for FHIR or healthcare interoperability services
• Contributions to bug bounty programs or published security research