Principal Application Security Architect

Information Security Redwood City, California Austin, Texas


HeartFlow, Inc. is dedicated to making our products and technologies as secure as possible. The Principal Application Security Architect is a senior level position that reports directly to the VP, CISO, but works closely with development teams, product teams, and other teams across the organization to integrate security into the product lifecycle from design through deployment. The Principal Application Security Architect is a subject matter expert in defining security requirements, performing application security assessments, and providing developers with remediation guidance and advice. On any given day the Principal Application Security Architect can be pulled in to evaluate a new system, review a proposed network change, or provide guidance on application security/coding best practices.

Job Responsibilities:

Work independently with developers, system/network administrators, product owners, and other colleagues to ensure secure design, development, and implementation of applications and networks

  • Perform security architecture design reviews of our products (primarily cloud)
  • Perform code analysis of large applications, manually and using SAST and DAST scanning solutions as well as conducting manual vulnerability analysis
  • Provide remediation guidance and recommendations to developers and administrators
  • Interface with the Customer Success team to discuss and track security feature enhancement requests from our global customers
  • Work with Product Development teams to help prioritize and validate urgency of mitigation of identified product vulnerabilities and security feature enhancement requests
  • Define security best practices and standards and ensure Product Development teams understand them and receive pertinent annual secure coding training

Skills Needed:

  • Experience working with development teams to build secure solutions
  • Experience breaking down complex systems and applications to find flaws
  • Proficiency in reading, writing, and auditing Python or Javascript and the ability to pick up new languages/technologies
  • Strong familiarity with common vulnerabilities and attack vectors
  • Knowledge of web service technologies, load balancer services (i.e. Nginx, Cloudflare, F5, etc.) and RESTful APIs
  • Knowledge of ubiquitous encryption technologies (PGP, SSH, SSL, etc.) and common authentication protocols (OpenID Connect, OAUTH, SAML, RADIUS, LDAP, KERBEROS, etc.)
  • Solid understanding of secure network and system design in both cloud (AWS, Azure, etc.) and conventional environments
  • The ability to communicate complicated technical issues and the risks they pose to developers, network engineers, system administrators, and management
  • Excellent written and verbal communication skills, interpersonal and collaborative skills
  • Must be a critical thinker, with strong problem-solving skills
  • High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity
  • Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations and best practices.

Preferred Experience:

  • Experience as an Application/Product Security Engineer, Architect or Developer
  • A background integrating security testing into the SDLC (preferably the SCRUM framework)
  • Experience providing security training to developers
  • Prior work as a consultant at a highly technical information security consultancy
  • Previous work as a technical security architect or related security role in a company where there is a commitment to information security and technology
  • Additional programming languages such as Java, Python, Object C
  • Demonstrated experience using DAST and SAST tools and services

About HeartFlow, Inc.:

HeartFlow, Inc. is a medical technology company redefining the way heart disease is diagnosed and treated. Our non-invasive HeartFlow FFRct Analysis leverages deep learning to create a personalized 3D model of the heart. By using this model, clinicians can better evaluate the impact a blockage has on blood flow and determine the best treatment for patients. Our technology is reflective of our Silicon Valley roots and incorporates decades of scientific evidence with the latest advances in artificial intelligence. The HeartFlow FFRct Analysis is commercially available in the United States, Canada, Europe and Japan. For more information, visit

HeartFlow, Inc. is an Equal Opportunity Employer. This company does not and will not discriminate in employment and personnel practices based on race, sex, age, handicap, religion, national origin or any other basis prohibited by applicable law. Hiring, transferring and promotion practices are performed without regard to the above listed items.