Application Security Analyst
HealthStream · Nashville, TN · 2 days ago
RemoteRemoteInformation Technology$79k–$85k/yrFull-time
Key Responsibilities
- Adhere to all HealthStream security policies, procedures, and assigned training.
- Operate and manage automated application security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).
- Triage, validate, and prioritize vulnerability findings from security scans, penetration tests, and bug reports, working with development teams to track remediation to closure.
- Conduct or support manual security assessments and penetration testing of web applications, APIs, and mobile applications.
- Produce clear, actionable vulnerability reports with risk ratings and remediation guidance for development teams.
- Manage and maintain vulnerability findings within the Snyk, Invicti and SonarQube or equivalent vulnerability management platform.
- Support the integration of security into CI/CD pipelines and DevSecOps workflows, including automated security gate checks.
- Participate in design and architecture reviews with a security lens, helping identify potential risks early in the development process.
- Assist in threat modeling exercises for new features and systems under the guidance of the AppSec Architect.
- Perform security-focused code reviews and provide developers with clear, constructive feedback and guidance.
- Contribute to the maintenance of a secure code library and reusable security patterns for development teams.
- Security Tooling & Cloud Security Support the management and configuration of application security tools such as Synk, Invicti, SonarQube and DefectDojo. Assist in implementing and monitoring security controls for cloud-based environments, including AWS and Azure.
- Evaluate and test emerging security tools and contribute recommendations to the AppSec team.
- Support API security testing and assist in securing third-party and open-source integrations.
- Security Awareness & Collaboration Collaborate with cross-functional teams including Engineering, DevOps, and Product to promote security best practices and a shift-left mindset.
- Deliver security awareness content and assist in conducting security training sessions for development staff.
- Stay current on emerging security threats, vulnerabilities (CVEs), and attack techniques, sharing relevant intelligence with the team.
- Support compliance-related activities, including evidence gathering for audits related to HIPAA, SOC 2, HITRUST or other applicable frameworks.
Qualifications
- Bachelor’s degree in information security, Computer Science, Software Engineering, or a related field. Equivalent practical experience will be considered.
- 2 to 4 years of experience in application security, information security, or software development with a security focus.
- Working knowledge of the OWASP Top 10, common web application vulnerabilities, and secure coding principles.
- Hands-on experience with application security testing tools such as SAST, DAST, or IAST (e.g., Synk, Invicti, Checkmarx, SonarQube, Burp Suite, or similar).
- Familiarity with cloud security concepts and hands-on exposure to AWS or Azure environments.
- Understanding of CI/CD pipelines and experience integrating security checks into DevOps workflows.
- Experience with API security testing and a solid understanding of RESTful service security.
- Proficiency in at least one scripting or programming language such as Python, JavaScript, Java, or Go for automation and security tooling purposes.
- Strong analytical and problem-solving skills with attention to detail.
- Excellent written and verbal communication skills, with the ability to explain security concepts to both technical and non-technical audiences.
- Ability to manage multiple tasks and vulnerabilities simultaneously, prioritizing effectively in a fast-paced environment.
- Relevant security certifications such as CompTIA Security+, CEH (Certified Ethical Hacker), GWAPT, eWPT, or equivalent.
- Experience using vulnerability management platforms such as Snyk, Invicti, or similar.
- Familiarity with security frameworks and standards including OWASP SAMM, NIST, or CIS Controls.
- Exposure to healthcare industry security and privacy regulations, including HIPAA.
- Experience with secure methods of integration with third-party platforms and open-source components.
- Participation in bug bounty programs, Capture the Flag (CTF) competitions, or open-source security research.
- Awareness of AI/ML security trends and their implications for application security.
- Experience with Identity and Access Management (IAM) security concepts and OAuth/OpenID Connect.