Engineer, Application and Cloud Security
Idaho, United States of America
Full Time
2 weeks ago
No Visa Sponsorship
Key skills
AzureCloudDNSSDLCTerraformVaultAnalyticsIAMAPI GatewayAzure MonitorEntra IDIdentity ManagementCI/CDChange ManagementOWASPCloud SecurityWAFFirewall
About this role
Role Overview
- Design and implement cloud security controls across Azure workloads (IaaS/PaaS), including network segmentation, Private Link/Private Endpoints, NSGs, Azure Firewall, and secure ingress/egress patterns.
- Design and validate security controls for applications and platforms that process Protected Health Information (PHI), including encryption, access controls, logging, and secure data flows.
- Support HIPAA and SOC 2 compliance by mapping technical controls to PHI risks, validating effectiveness, and producing audit ‑ ready evidence.
- Deploy, configure, and operationalize Microsoft Defender for Cloud (secure score, regulatory compliance, recommendations, JIT access) and integrate findings into remediation workflows.
- Serve as the primary Application Security (AppSec) engineer, partnering with Software Engineering to embed security controls across design, build, test, and runtime phases.
- Perform threat modeling and architecture reviews for new applications, major changes, and integrations (data flows, identity, APIs).
- Define and maintain application security requirements aligned to OWASP Top 10, API Security Top 10, and cloud-native threat models.
- Engineer detections and response workflows in Microsoft Sentinel (analytics rules, automation rules, playbooks), including KQL-based hunting and incident triage.
- Manage identity and access controls in Microsoft Entra ID, including RBAC, Conditional Access, MFA, Privileged Identity Management (PIM), and Managed Identities.
- Harden internet-facing applications using Azure Web Application Firewall (WAF) and Azure Front Door (AFD) policies, aligning protections to OWASP Top 10 and validating through testing and logging.
- Implement secure configuration baselines and policy-as-code using Azure Policy and Management Groups; define guardrails for encryption, logging, networking, and identity.
- Build and maintain security logging and telemetry (Azure Monitor, Log Analytics, Defender, AFD/WAF logs), ensuring required retention, diagnostics settings, and centralized visibility.
- Operate vulnerability management for cloud and application surfaces (e.g., Defender recommendations, scanning outputs), drive remediation prioritization, and validate fixes.
- Integrate application security tooling into CI/CD pipelines (SAST, SCA, secrets scanning, IaC scanning), ensuring actionable results without disrupting delivery.
- Triage and prioritize application vulnerabilities (code, dependencies, misconfigurations) based on risk, exploitability, and business impact.
- Partner with engineering teams to remediate findings and validate fixes.
- Secure secrets, keys, and certificates using Azure Key Vault, including access controls, rotation practices, and integration with applications and pipelines.
- Secure APIs and web services using authentication, authorization, rate limiting, and abuse protections.
- Validate WAF, AFD, and API gateway controls against application-specific threats, including bot abuse and injection attacks.
- Monitor runtime application telemetry for security signals and collaborate on incident response when application-layer issues are identified.
- Partner with engineering teams to embed secure SDLC practices: threat modeling, security requirements, secure configuration, and remediation guidance for OWASP Top 10 classes.
- Review and improve Infrastructure-as-Code (Terraform/Bicep/ARM) for security and compliance, including least-privilege IAM, secure networking defaults, and drift detection.
- Investigate security events and participate in incident response, including containment/eradication, evidence collection, and post-incident root cause analysis and lessons learned.
- Oversee dependency and third-party library risk (SCA), including vulnerability tracking and remediation guidance.
- Define secure patterns for secrets management, service-to-service authentication, and external integrations.
- Support endpoint, identity, and cloud workload investigations using Microsoft Defender XDR and related telemetry; tune alerting to reduce noise and improve fidelity.
- Maintain runbooks, playbooks, and security documentation; contribute to change management and control evidence for audits and risk assessments.
- Conduct security reviews of cloud architecture and changes (new services, networking, identity, data flows), providing actionable recommendations and risk-based exceptions when needed.
- Participate in, adhere to and support compliance and diversity, equity, and inclusion program objectives. Other duties as assigned.
Requirements
- 5+ years of experience in cloud security, security engineering, security operations, or cloud infrastructure roles with significant security responsibilities (Azure preferred)
- Hands-on experience with Microsoft Defender (Defender for Cloud and/or Microsoft Defender XDR) and translating security findings into prioritized remediation
- Experience with Microsoft Sentinel (or equivalent SIEM), including KQL queries, detection engineering, alert triage, and incident investigation
- Strong understanding of Azure networking and security controls, including secure ingress/egress, firewalling, Private Link, and DNS considerations
- Experience protecting web applications using WAF capabilities (Azure WAF/Application Gateway and/or Azure Front Door), including rule tuning and monitoring aligned to OWASP Top 10
- Hands-on experience with application security practices, including threat modeling, secure design reviews, and remediation of OWASP Top 10 vulnerabilities
- Experience integrating security controls into CI/CD pipelines (SAST, SCA, secrets scanning, IaC scanning)
- Understanding of API security, authentication/authorization patterns, and common web application attack techniques
- Experience partnering with software engineers to drive secure coding practices and risk-based remediation
- Solid grasp of identity and access management (Entra ID), RBAC, least privilege, Key Vault, and platform security controls required
- Experience implementing governance guardrails using Azure Policy, Management Groups, and security baselines (e.g., Azure Security Benchmark) required
- Experience reviewing and securing Infrastructure as Code (Terraform/Bicep/ARM), including secure defaults, secret handling, and drift detection preferred
- Familiarity with DevSecOps practices (security scanning, policy enforcement, and automated evidence collection) integrated into CI/CD pipelines preferred
- Experience with incident response processes, alert investigation, and post-incident reviews (RCA/lessons learned) preferred
Tech Stack
- Azure
- Cloud
- DNS
- SDLC
- Terraform
- Vault
Benefits
- Health insurance
- 401K company match of up to 5%
- No vesting requirement
- 20 days paid time off
- 4 weeks paid parental leave
- 9 paid holidays
- Adoption Assistance Program
- Flexible Spending Account
- Educational Assistance Plan and Professional Membership assistance