SCOPE OF ROLE

The Application Security Engineer is a member of the Bright Health Information Security Organization and involved in building, maintaining and supporting public cloud security and engineering initiatives. This person will be required to work effectively and seamlessly with our engineering organization’s existing security, engineering and cloud operations.

ROLE RESPONSIBILITIES

• Serve as a subject matter expert for application security, providing guidance to engineering and product teams
• Develop roadmap for application security through the assessment of the application portfolio for Dynamic Application Security Testing (DAST) and develop processes for vulnerability identification, analysis and remediation coordination
• Implement capabilities to conduct Static Application Security Testing (SAST) and Software Composition Analysis (SCA) and develop processes required to integrate into the SDLC
• Lead research into suspected application vulnerabilities
• Lead efforts around secure development training for our engineering team
• Coordinate application pentests efforts for all our products
• Maintain awareness of known vulnerabilities in application technologies used within BHG
• Assist with performing thorough threat modeling of web applications
• Effectively partner and communicate with Development, Product, and Management

EDUCATION, TRAINING, EXPERIENCE

• Bachelors degree in technical field (required), Masters degree (preferred).  
• 5+ years of application security experience 
• Competency in dynamic web application testing, SAST & DAST scanning 
• Basic understanding of vulnerability management tools 
• Demonstrated skills in modern programming and scripting languages (Python, Go, JavaScript) and experience with Infrastructure-as-Code frameworks (Terraform, Ansible)
• A proven understanding of Kubernetes multi-tenant deployments at scale. This includes security, hardening, policies, and deployment in infrastructures such as Azure AKS or Amazon EKS or Google Cloud Platform GKE.
• Strong understanding of OWASP TOP 10 
• Strong understanding of cloud architecture 
• Candidates must have excellent verbal and written communication skills, including experience speaking in public forums and writing/contributing to technical publications. 
• Familiar with waterfall and agile development processes and have experience integrating secure development practices into both models 
• Familiarity with industry standards and regulations including HIPAA, SOC2, PCI, SOX, and ISO27001 is desired 
• Security experience with native iOS, native Android, APIs, and React - that's a big plus!
• ISACA, (ISC)2, Offensive Security or relevant industry certifications preferred