First Stop Health is on a mission to deliver affordable, delightful healthcare for all, providing connected, whole-person virtual care to employers 24/7. They are seeking an Application Security Engineer to design, implement, and maintain application security practices, partnering closely with engineering and Information Security teams to embed security into the software development lifecycle.
Responsibilities:
- Apply deep knowledge of application security architecture and design principles, including frameworks such as OWASP SAMM, to influence secure system design
- Review application architectures to identify security risks and recommend appropriate controls and mitigation strategies
- Design and implement secure coding standards, guidelines, and patterns aligned with industry best practices
- Lead and support the implementation of a secure SDLC, integrating security controls into design, development, testing, and deployment processes
- Partner with engineering leadership to embed security requirements and checkpoints into CI/CD pipelines
- Ensure security requirements are consistently applied across cloud, web, mobile, and API-based applications
- Perform and facilitate threat modeling exercises with development teams to identify potential attack vectors and prioritize risks
- Conduct risk assessments and provide actionable guidance to reduce application-level security risk
- Communicate risk findings clearly, balancing technical detail with business impact
- Lead application security assessments, including static and dynamic analysis, architecture reviews, and manual testing
- Perform and oversee code reviews to identify security vulnerabilities and design flaws
- Lead and coordinate penetration testing engagements, including scoping, execution, remediation validation, and reporting
- Serve as a trusted security advisor to development teams, providing expert guidance on secure design, implementation, and remediation
- Develop and deliver security training and awareness content for developers and technical stakeholders
- Contribute to security documentation, standards, and internal knowledge bases
- Monitor relevant threat intelligence sources related to application and software supply chain risks
- Analyze emerging threats and vulnerabilities and communicate relevant findings to the Information Security team and other stakeholders
- Recommend enhancements to application security controls and practices based on evolving threats and industry trends
Requirements:
- Bachelor's degree or equivalent practical experience
- 5 - 8 years in information security, IT, or related technical roles
- Strong understanding of application security architecture, design principles, and secure coding practices
- Experience securing CI/CD pipelines and DevOps workflows
- In-depth knowledge of security best practices and industry standards (e.g., OWASP Top 10, CWE, NIST, ISO-aligned controls)
- Experience implementing and operating a secure SDLC in modern development environments
- Ability to conduct complex security assessments, including manual code reviews and architecture analysis
- Experience leading security assessments and penetration testing engagements
- Working knowledge of threat modeling methodologies and risk assessment techniques
- Ability to clearly and effectively communicate complex security concepts to developers, engineers, leadership, and other stakeholders
- Strong knowledge of security principles and technologies (e.g., encryption, authentication, firewalls, IDS/IPS, incident response, EDR, etc.)
- Hands-on experience with SAST, DAST, SCA technologies such as Snyk, GitHub Advanced Security, etc
- Familiarity with cloud platforms (AWS, Azure, or GCP) and associated security features and configurations
- Understanding regulatory standards (GDPR, HIPAA, PCI-DSS, ISO 27001) and how they impact operations
- Strong analytical and problem-solving skills; able to identify risks and propose effective mitigations
- Excellent communication and collaboration skills
- Security+, Certified Application Security Engineer (CASE), Certified Secure Software Engineer Lifecycle Professional (CSSLP), etc