Security Engineer | InfraSec

Posted Apr 18

At Nuna, our mission is to make high-quality healthcare affordable and accessible for everyone. We are dedicated to tackling one of our nation’s biggest problems with ingenuity, creativity, and a keen moral compass.

Nuna is committed to simple principles: a rigorous understanding of data, modern technology, and most importantly, compassion and care for our fellow human. We want to know what really works, what doesn't—and why.

Nuna partners with healthcare payers, including government agencies and health plans, to turn data into learnings and information into meaning.

YOUR TEAM

The Nuna Security team is responsible for protecting the confidentiality, integrity, and availability of all healthcare data, client information, intellectual property, and employee data entrusted to our organization. The Nuna Security Team covers the gamut of security across the corporate and production environments. We secure the web applications, the product infrastructure, and the corporate infrastructure. We work closely with the Compliance Team to ensure that we are meeting security standards and providing our customers with the utmost assurance that we will keep their data safe.

We stay ahead of the constantly evolving threat landscape by building and maintaining automated solutions, fostering a security-aware culture across teams, and constantly challenging assumptions. We flourish with our ability to participate and give back to the healthcare industry and security community through leadership, education, and code.

YOUR IMPACT

As a Security Engineer, you will protect the data of tens of millions of Americans while working closely with our distributed compliance, privacy, and engineering teams by looking deeper and seeing further into the security of the environment to help improve and embed controls across the company.

The Security Engineer will be responsible for scoping, scheduling, scanning and remediating any vulnerabilities identified. They will review vulnerability data from multiple sources (i.e. external / internal penetration testing, internal / external vulnerability scanning, etc.) across multiple technologies and a changing environment including infrastructure and applications to determine risk rating of vulnerabilities to business assets.

YOUR OPPORTUNITIES

Vulnerability & Compliance Scanning and Triage:
Perform vulnerability and compliance scanning in the corporate, cloud, and application environments to discover risks to networks, operating systems, applications, databases, and other information system components
Monitor vulnerability dashboards, triage findings, and drive remediations to completion
Provide analysis and validation post remediation, identify opportunities for improvements and utilize out of the box thinking for optimizations and solving roadblocks
Participate in Cyber Security Audits and External Penetration Tests
Working and communicating effectively with stakeholders at Nuna:
Partner with other teams to identify and evaluate risk, provide analysis of vulnerabilities and make recommendations for mitigation and remediation
Provide technical support, where needed, to other teams to help remediate vulnerabilities within their systems
Make recommendations regarding the selection of cost-effective security controls to mitigate identified risks
Encourage adoption of security methodologies and architecture changes throughout the company via evangelism and education
Brief outward and upward within Nuna on vulnerability assessment results, potential risks, and overall progress
Escalate security incidents when they arise and participate in the incident response efforts
Help the InfraSec and Compliance Teams to maintain appropriate documentation that defines the Threat & Vulnerability Management Program, Policy and Procedures
Engineering and Automation:
Perform configuration changes, technical changes, system updates and upgrades, and any other implementation tasks to remediate vulnerability findings as independently as possible
Oversee and automate monthly redeploy of immutable cloud resources (EC2 instances, AMI’s, Docker images, Kubernetes images, etc)
Automate the vulnerability management process to improve operation efficiency, including but not limited to data ingestion & normalization, compliance metrics and detections on assets.
Creating dashboards and automated report generation
Security Expertise:
Continue self-development of knowledge, skills and abilities to better support execution of the information security function
Monitor news and intelligence feeds to proactively identify vulnerabilities that may impact the organization
Research, evaluate, and assess emerging cyber security threats, incidents, and vulnerabilities

YOU BRING

Preferably 1-2 years of experience in cybersecurity and engineering but open to new graduates with relevant coursework and project experience
Either a degree or certificate of program completion in Information Systems, Computer Science or a related field
Good understanding of vulnerability scanning tools or ability to learn (eg AWS Security Hub, BurpSuite, Nessus, SAST products, etc)
Experience working in AWS and a basic understanding of cloud infrastructure deployment, configuration, and management
Experience coding in at least 1 or 2 languages: Python, BASH, Go, Terraform, Packer, Puppet
Understanding of a variety of technical concepts with focus on cloud computing, automation, networking, systems administration, application development, and information security best practices
Clear understanding of industry best practices and a shown ability to respond to evolving risks.
Shown leadership, organization, and communication skills. Possessing the ability to effectively prioritize tasks across multiple partners.
Capable of analyzing requirements and designing system-level threat models
Proficient at configuring and hardening Linux and ancillary services using cloud orchestration and infrastructure-as-code or ability to learn
Proficient with log analysis and auditing platforms such as Splunk or ability to learn
Experience in or ability to learn vulnerability scanning, SEIM, penetration testing, network admission control, advanced malware protection and/or mobile device management.

BONUSES

Security Certifications such as Certified Vulnerability Assessor (CVA), Certified Ethical Hacker (CEH), CIPP (Certified Information Privacy Professional), CRISC (Certified in Risk and Information Systems Control), CISA (Certified Information System Auditor), CISSP (Certified Information Security Professional) or CISM (Certified Information Systems Manager) is a plus.
Experience with healthcare and government regulatory requirements.
Willingness to conduct research, write white papers, and present technical content at local events and conferences.
Knowledge of Java and Javascript

TECHNOLOGIES USED AT NUNA

AWS cloud environment: EC2, S3, RDS, ELB, ECS, ECR, AWS VPCs and networking
Operating systems: Linux, OS X and Windows
Languages: Python, Go, Bash, Java, Javascript
Cloud orchestration framework: Packer, Puppet, Terraform
Metrics and reporting: Splunk, AWS Config, AWS SNS, AWS CloudWatch, Prometheus
Coordination & collaboration tools: ClickUp, Confluence, Slack, GSuite, Gitlab

We take into account an individual’s qualifications, skillset, and experience in determining final salary. This role is eligible for health insurance, life insurance, retirement benefits, participation in the company’s equity program, paid time off, including vacation and sick leave. The expected salary range for this position is $151,000 to $180,000. The actual offer will be at the company’s sole discretion and determined by relevant business considerations, including the final candidate’s qualifications, years of experience, and skillset.

Nuna is an Equal Employment Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability, genetics and/or veteran status.