API Security Engineer
OpenLoop
- Saint Paul, Illinois, United States
- Saint Paul, Illinois, United States
À propos
Company Culture We maintain a relatively flat organizational structure where everyone is encouraged to bring ideas to the table and make things happen. This aligns with our core values of Autonomy, Competence, and Belonging, empowering employees to perform their best work.
The Role OpenLoop is hiring an
API Security Engineer
(remote or Des Moines, IA). The engineer will design, implement, and maintain security controls that protect our organization’s APIs, integration layers, and service‑to‑service communication. This role ensures that APIs are securely designed, thoroughly tested, continuously monitored, and compliant with internal policies and external regulations.
What You’ll Do
Build relationships with developers and stakeholders to incorporate security principles into engineering design and deployments.
Define and maintain API security standards, guidelines, and best practices.
Work with engineering and product teams to incorporate security requirements into API design, including authentication, authorization, rate limiting, encryption, and data validation.
Assess architecture diagrams and integration flows for security risks and propose mitigation strategies.
Perform manual and automated security testing of APIs (e.g., fuzzing, penetration testing, misuse‑case reviews).
Identify & validate vulnerabilities, such as injection flaws, broken authentication, access control issues, insecure deserialization, and misconfigurations.
Integrate security testing tools into CI/CD pipelines (SAST, DAST, API‑specific scanners).
Implement API‑level logging, anomaly detection, runtime protections, and threat monitoring.
Investigate and respond to API‑related security incidents, breaches, or suspicious activity.
Collaborate with SOC, DevSecOps, and engineering teams to develop alerting and mitigation processes.
Develop and enforce API security policies aligned with organizational risk management.
Conduct regular security reviews and maintain documentation for audits and assessments.
Provide guidance to developers on secure API design and coding practices.
Deliver training sessions, code‑review feedback, and threat‑modeling workshops.
Document security findings, outline remediation options, and oversee mitigation.
Support the rollout and adoption of API gateways, identity platforms, and secure coding tools.
Focus on automation to aid efficiencies with both testing and remediation of findings.
Attend and participate in product meetings addressing security requirements for new and existing products.
Build services and tools to enable developers and engineers to easily use security components.
Support the ability to “shift left” and incorporate security early on and throughout the development lifecycle.
Communicate vulnerability results to both technical and non‑technical users with influential messaging.
Research and learn new tactics, techniques, and procedures (TTPs) in public and closed forums, and work with colleagues to assess risk and implement or validate controls via the CI/CD pipeline.
Enrich DevSecOps architecture with security standards and best practices.
Partner with teams to define key performance indicators (KPIs) and metrics across business units.
Ensure regulatory compliance (PCI, HIPAA, HITRUST, NIST CSF) through effective security controls and processes.
Other duties as assigned.
Who You Are
Bachelor’s degree in computer science (preferred), information assurance, MIS, or related field, or equivalent.
7+ years of security and systems administration‑related experience, with at least 3 years in cloud and security engineering.
Experience operating and securing platforms on Amazon Web Services (AWS) and/or Google Cloud Platform (GCP).
Strong understanding of API architectures (REST, GraphQL, gRPC, WebSockets).
Experience with OAuth2, OIDC, JWT, API keys, mTLS, and other authN/authZ models.
Hands‑on experience with API gateways (e.g., Kong, Apigee, AWS API Gateway, NGINX).
Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface while implementing rapid, continuous solutions.
Understanding of OWASP, CVSS, the MITRE ATT&CK framework, and the software development lifecycle (SDLC).
Knowledge of PCI, HIPAA, GLBA, NIST, ISO standards or other compliance requirements.
Self‑starter with minimal supervision.
Excellent communication of business risk and remediation requirements from assessments.
Analytical and problem‑solving abilities with a proactive, risk‑based approach.
Highly organized and efficient.
Demonstrated strategic and tactical thinking, along with decision‑making skills and business acumen.
Experience in healthcare or digital health is a plus.
Strong customer service orientation.
Adaptability to handle dynamic and challenging environments.
Energetic, resourceful, and possesses appropriate work intensity to get the work done.
Strong people acumen and relationship skills.
Benefits
Medical, Dental, and Vision plans
Flexible Spending/Health Savings Accounts
Flexible PTO
401(k) with company match
Life Insurance, Pet Insurance, and more
Sound like a good fit? We’d love to meet you.
#J-18808-Ljbffr
Compétences linguistiques
- English
Avis aux utilisateurs
Cette offre provient d’une plateforme partenaire de TieTalent. Cliquez sur « Postuler maintenant » pour soumettre votre candidature directement sur leur site.