Ensemble Health Partners is a leading provider of technology-enabled revenue cycle management solutions for health systems. The Senior Application Security Engineer will manage and optimize application security tools, ensuring their effective integration into the software development lifecycle, while collaborating with various teams to identify and remediate vulnerabilities.
Responsibilities:
- Manage and optimize application security tools (SAST, DAST, SCA, IaC, secret scanning) and ensure effective integration into CI/CD pipelines and the SDLC lifecycle
- Analyze source code and infrastructure-as-code for security vulnerabilities and provide actionable remediation guidance
- Validate and triage findings from security tools, removing false positives and ensuring accurate issue tracking
- Create and manage remediation tickets (e.g., Aha! Ideas, ServiceNow Requests), ensuring vulnerabilities are prioritized, assigned, and tracked to resolution
- Collaborate with development and engineering teams to validate remediation efforts and confirm closure of security issues
- Participate in the risk management process by documenting, reviewing, and maintaining risk exceptions for unresolved or accepted vulnerabilities
- Work with risk owners and business stakeholders to ensure appropriate compensating controls are in place and documented
- Lead secure code reviews and contribute to threat modeling and design discussions for high-risk applications
- Mentor junior engineers and provide technical guidance on secure development practices
- Contribute to the development and refinement of secure coding standards, policies, and procedures
- Develop and maintain dashboards and reports that communicate application security posture, remediation progress, and risk trends to leadership
- Identify recurring security issues and propose systemic improvements to reduce future risk
- Lead efforts to evaluate, pilot, and implement new application security tools and integrations that enhance automation and coverage
- Continuously refine scanning configurations and policies to improve signal-to-noise ratio in findings
- Stay informed on emerging threats, vulnerabilities, and industry trends, and recommend improvements to tooling and processes
- Participate in the evaluation and onboarding of new security tools and technologies
- Work closely with cross-functional stakeholders to analyze and troubleshoot complex production issues
Requirements:
- 5-7 years of related experience relative to the role
- Bachelors degree or equivalent experience
- A minimum of 5 years of experience in software development, architecture, or engineering roles
- A minimum of 3-5 years of experience applying secure development practices or working directly with application security tools (e.g., SAST, DAST, SCA, IaC scanning)
- Demonstrated experience leading remediation efforts and collaboration between development and security teams to address vulnerabilities
- Ability to read and interpret stack traces and source code call trees to validate and triage security findings
- Experience working in Agile/SCRUM environments and implementing CI/CD and DevOps practices
- Proficiency in scripting languages (e.g., Python, PowerShell, Bash) to support automation and developer tooling
- Experience deploying and automating security solutions in enterprise environments using AWS and/or Azure
- Hands-on experience with application security platforms including SAST, DAST, SCA, IaC scanning, and secret detection tools
- Proficiency in one or more programming languages such as Java, .NET (C#), PHP, JavaScript, or Python
- Working knowledge of SQL and relational database security considerations
- Strong understanding of OWASP Top10 and secure coding standards
- Experience with version control systems (Github, Azure DevOps, Gitlab) and CI/CD pipeline integration
- Familiarity with infrastructure-as-code tools (Terraform, CloudFormation) and containerization technologies (Docker, Kubernetes)
- Strong analytical and problem-solving skills, with the ability to bring structure and clarity to complex technical challenges
- Familiarity with Linux and Windows operating systems and cloud-native security practices in Azure, AWS, or GCP
- Ability to create scripts (PowerShell/bash)
- Adherence to secure change management and deployment processes
- Excellent communication skills and the ability to serve as a security ambassador across engineering and product teams
- Proven ability to take ownership of complex issues and drive them to resolution with minimal oversight