API Security Engineer

About The Role OpenLoop is looking for an API Security Engineer to join our team (remote or Des Moines, IA). The API Security Engineer is responsible for designing, implementing, and maintaining security controls that protect the organization's APIs, integration layers, and service-to-service communication. This role ensures that APIs are securely designed, thoroughly tested, continuously monitored, and compliant with both internal policies and external regulations. The engineer works closely with developers, product teams, and security leadership to build secure, scalable, and resilient API ecosystems. The engineer focuses on using secure-by-design, privacy-by-design, and security-first principles to reduce vulnerabilities. Individuals in this role possess a wide range of cybersecurity and software engineering technical acumen, the ability to think like an attacker and exceptional communication skills. When security issues are discovered, the engineer proactively communicates with the appropriate technical and leadership teams to ensure a focus on risk mitigation. The engineer constantly assesses products for weaknesses and recommends ways to mitigate them before they are exploited. Ultimately, the role focuses on executing a comprehensive security & technology roadmap to protect our platform, data, systems, and clients, while ensuring compliance with HIPAA, HITRUST, and other healthcare regulations. What You'll Do: • Build relationships with developers and stakeholders to incorporate security principles into engineering design and deployments. • Define and maintain API security standards, guidelines, and best practices. • Work with engineering and product teams to incorporate security requirements into API design, including authentication, authorization, rate limiting, encryption, and data validation. • Assess architecture diagrams and integration flows for security risks and propose mitigation strategies. • Perform manual and automated security testing of APIs (e.g., fuzzing, penetration testing, misuse-case reviews). • Identify & validate vulnerabilities, i.e. injection flaws, broken authentication, access control issues, insecure deserialization, and misconfigurations. • Ensure integration of security testing tools into arenaflex/CD pipelines (SAST, DAST, API-specific scanners). • Implement API-level logging, anomaly detection, runtime protections, and threat monitoring. • Investigate and respond to API-related security incidents, breaches, or suspicious activity. • Collaborate with SOC, DevSecOps, and engineering teams to develop alerting and mitigation processes. • Develop and enforce API security policies aligned with organizational risk management. • Conduct regular security reviews and maintain documentation for audits and assessments. • Provide guidance to developers on secure API design and coding practices. • Deliver training sessions, code review feedback, and threat-modeling workshops. • Document security findings, outline remediation options and oversee mitigation. • Support the rollout and adoption of API gateways, identity platforms, and secure coding tools. • Focus on automation to aid in efficiencies with both testing and remediation of findings. • Attend and participate in product meetings addressing security requirements for new and existing products. • Build services and tools to enable developers and engineers to easily use security components • Support the ability to "shift left" and incorporate security early on and throughout the development lifecycle. • Communicate vulnerability results to both technical and non-technical users, through influential messaging. • Regularly research and learn new tactics, techniques and procedures (TTPs) in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary through the arenaflex/CD pipeline. • Enrich DevSecOps architecture with security standards and best practices. • Partner with teams to define key performance indicators (KPIs) and metrics across business units. • Ensure regulatory compliance (e.g., PCI, HIPAA, HITRUST, NIST CSF) through effective security controls and processes. • Other duties as assigned. Who You Are: • Bachelor's degree in computer science (preferred), information assurance, MIS or related field, or equivalent. • 7+ years of security and systems administration-related experience, with at least 3 years in cloud and security engineering experience • Experience with operations and security across arenaflex Web Services (AWS) and/or arenaflex Cloud Platform (GCP). • Strong understanding of API architectures (REST, GraphQL, gRPC, WebSockets). • Experience with OAuth2, OIDC, JWT, API keys, mTLS, and other authN/authZ models. • Hands-on experience with API gateways (e.g., Kong, Apigee, AWS API Gateway, NGINX). • Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface while performing rapid, continuous imp