Mach7 Technologies

Senior Security Engineer

Mach7 Technologies · Burlington, Vermont, United States

Medical Equipment Manufacturing · 51-200 employees

Yesterday
Remote Senior (5-10 yrs) Full-time United States
Log in to apply, save this posting, or score it against your profile with AI.

About the role

Lead application security efforts across the product portfolio by integrating security into every phase of the software development lifecycle. This includes conducting threat modeling, managing software supply chain risks, and driving vulnerability remediation across web, mobile, and embedded software.

What they look for

Application Security Threat Modeling Secure Code Review Vulnerability Management Software Supply Chain Security SAST DAST SCA SBOM CI/CD Pipelines Python Go TypeScript C/C++ API Security Cloud Security

Requirements

Requires 5+ years of security engineering experience with a strong focus on AppSec and proficiency in threat modeling frameworks and security tooling. Candidates must be able to read and reason about code in at least two languages and have experience with SBOM and dependency risk management.

Full description

Title: Senior Security Engineer

Team: Engineering

Location: Remote-Friendly

About the Role:

We're looking for a Senior Security Engineer to lead application security efforts across our product portfolio, spanning web applications, APIs, mobile, embedded software, and shipped product deliverables. You'll be embedded in the engineering organization, partnering with product and platform teams to bake security into every phase of the software development lifecycle, not bolt it on at the end.

A critical part of this role is developing and maintaining a deep understanding of our product attack surface, how components interact, what's exposed, and where real risk lives. That understanding is what transforms security tooling output into prioritized, meaningful action across threat modeling, vulnerability management, and supply chain risk.

This is a high-impact role for someone who is equally comfortable reading source code, threat modeling a new microservice, and coaching a developer through a secure code review.

What You'll Do

Application Security & Secure SDLC

  • Own

and evolve the AppSec program across the entire SDLC — from design reviews to post-deployment monitoring — for web, API, mobile, and shipped product deliverables

  • Build

and maintain a living model of the product attack surface — mapping trust boundaries, data flows, exposed interfaces, and high-value targets — and use it to drive prioritization across all security workstreams

  • Conduct

threat modeling and architecture security reviews for new features, services, and product releases across all delivery channels

  • Perform

manual and automated secure code reviews across multiple languages (e.g. Python, Go, TypeScript, C/C++)

  • Integrate

and tune SAST, DAST, and SCA tooling within CI/CD pipelines (GitHub Actions, Jenkins, or equivalent)

  • Triage

and drive remediation of vulnerabilities surfaced through scanning, bug bounty, and pen tests

  • Develop

and maintain a library of security standards, patterns, and guardrails applicable across product types

Third-Party & Supply Chain Security

  • Own

the Software Bill of Materials (SBOM) program — define generation, storage, and consumption processes across all product lines

  • Establish

and maintain policies for evaluating, onboarding, and continuously monitoring third-party dependencies and open-source components

  • Triage

and prioritize CVEs and license risks surfaced through SCA tooling, driving timely remediation with engineering teams

  • Define

processes for responding to upstream supply chain incidents (e.g. compromised packages, malicious dependencies)

  • Collaborate

with procurement and legal to assess security risk of third-party vendors and integrations

  • Contribute

to industry frameworks and internal standards around software supply chain security (SLSA, NIST SSDF, or equivalent)

  • Act

as a trusted security advisor embedded within product engineering squads

  • Lead

security training, lunch-and-learns, and developer education initiatives

  • Collaborate

with the Platform team on secrets management, identity, and access controls

  • Work

with the GRC function to translate compliance requirements (SOC 2, ISO 27001) into engineering controls

Incident & Vulnerability Management

  • Participate

in the security on-call rotation and lead security incident response investigations

  • Drive

root cause analysis and communicate findings clearly to engineering leadership

  • Build

and maintain metrics and dashboards to track the health of the AppSec program

  • Participate

as a member of the Cybersecurity council, representing development in the organization. Report weekly on new threat intelligence as it relates to product security, and any actions that are being taken to remediate new findings.

What We're Looking For

Ø Required

· 5+ years of experience in security engineering, with a strong AppSec focus

· Hands-on experience with threat modeling frameworks (STRIDE, PASTA, or similar)

· Proficiency with common AppSec tooling: Semgrep, Snyk, Burp Suite, OWASP ZAP, or equivalents

· Deep understanding of web application vulnerabilities (OWASP Top 10, API security, auth/authz flaws)

· Ability to read and reason about code in at least two languages; prior development experience a plus

· Experience with software supply chain security — SBOM generation and analysis (CycloneDX, SPDX), SCA tooling, and dependency risk management

· Strong written and verbal communication skills — you can explain risk to both engineers and executives

Ø Preferred

· Experience with cloud-native environments (AWS, GCP, or Azure) and container/Kubernetes security

· Familiarity with software supply chain frameworks such as SLSA, NIST SSDF, or OpenSSF Scorecards

· Contributions to open-source security tooling or security research

· Relevant certifications: OSCP, CSSLP, GWEB, or similar

We recognize that candidates bring diverse experiences and backgrounds. If you don’t meet every requirement, we still encourage you to apply! Many strong candidates don’t check every box. We value potential, growth, and impact as much as experience.

Who You Are

· Experienced security professional with a strong background in application security and secure software development.

· Skilled at threat modeling, secure code reviews, and identifying real-world risks across complex systems.

· Knowledgeable in web, API, mobile, and software supply chain security best practices.

· Comfortable working with developers to embed security throughout the SDLC.

· Proficient with security testing and vulnerability management tools, including SAST, DAST, and SCA solutions.

· Strong communicator who can translate technical risks into actionable recommendations.

· Collaborative, proactive, and driven to improve both product security and engineering security culture.

· Passionate about continuous learning, emerging threats, and helping teams build secure products at scale.

About Mach7:

Mach7 Technologies helps healthcare organizations bring all their medical images together in one place so they can be easily accessed, shared, and used to support patient care. Our enterprise imaging solutions, including a vendor-neutral archive (VNA), enterprise PACS, the eUnity enterprise diagnostic viewer, and teleradiology workflows, consolidate imaging from across the enterprise into a single, accessible source of truth. Built on open standards, including DICOM and a configurable HL7 engine, and free from proprietary data lock-in, our technology lets providers store, view, and share images on their own terms. The result is a simpler, more connected imaging environment that puts data ownership back where it belongs: with the people delivering care. Your data, your infrastructure, your choice.

AI Expectations

· Integrate AI into daily work — leverage AI tools to enhance efficiency, elevate quality, and support smarter, faster decision-making.

· Apply critical human judgment to AI output — review, validate, and take full accountability for AI-assisted work, ensuring accuracy and reliability.

· Continuously improve through AI — proactively identify opportunities to optimize processes, rethink workflows, and challenge existing approaches rather than maintaining the status quo.

· Use AI responsibly and ethically — safeguard sensitive information, adhere to company guidelines, and actively identify risks such as bias, inaccuracies, or misuse.

CLIMBS Culture Code

At Mach7, our culture is rooted in CLIMBS, a mindset that guides how we show up, collaborate, and grow each day. More than just a set of values, CLIMBS represents the standard we hold ourselves to and the way we approach our work, our teams, and our impact.

C — Customer First Every decision starts with the customer’s perspective. Success = customer outcomes and satisfaction.

L — Learn & Grow Curiosity keeps us climbing. We embrace continuous learning, share knowledge freely, and invest in each other’s development.

I — Innovate for Impact We value meaningful, outcome-driven innovation over activity. We challenge the status quo and align behind real customer benefit.

M — Minimize Complexity & Move As complex as needed but no more. Agility beats bureaucracy. We move fast and stay focused on what matters.

B — Build Good Sh*t (Yes, intentionally memorable.) Extreme ownership, craftsmanship, and pride in high-quality work.

S — Everyone Sells Not just Sales—Engineering, Product, Support, Finance, IT. We align behind commercial success to enable company success