Senior Application Security AnalystState-of-Washington • Olympia, Washington, United States
Dieses Stellenangebot ist nicht mehr verfügbar
Senior Application Security Analyst
State-of-Washington
- Olympia, Washington, United States
- Olympia, Washington, United States
Über
Equity Statement Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti‑racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange’s area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.
Overview The Senior Application Security Analyst plays a key role in protecting WAHBE’s data and applications by ensuring security controls are effectively integrated throughout the Software Development Lifecycle (SDLC) across both cloud and on‑premises environments. Operating under the guidance of the Application Security Lead, this role serves as a senior technical contributor and collaborates closely with delivery teams, DevOps, architects, IT, and external partners to implement and sustain secure software development practices.
This position is responsible for executing application security assessments, threat modeling, and vulnerability management, while supporting risk assessments and ensuring alignment with WAHBE’s security policies and regulatory requirements. The Senior Application Security Analyst helps drive the adoption and continuous improvement of the Secure Software Development Lifecycle (SSDLC) by integrating automated security controls, conducting code reviews, and promoting secure coding standards.
Key Responsibilities
Identify and mitigate application security risks, support incident response activities, and provide actionable guidance to delivery teams for remediation.
Contribute to strengthening overall application security posture by addressing emerging threats, supporting compliance efforts, and ensuring security best practices are consistently applied across the organization.
Serve as a senior subject matter expert for application security across Microsoft Azure and cloud‑native architectures including hybrid and multi‑cloud environments.
Perform and coordinate application security assessments, code reviews to align with WAHBE security policies, industry standards (NIST, OWASP), and regulatory compliance (e.g., CMS, IRS), including API and microservices security assessments.
Support the implementation and continuous improvement of the Secure Software Development Lifecycle by integrating security controls and best practices into development and deployment processes.
Collaborate with delivery teams, architects, DevOps engineers to embed security into all phases of the SDLC, including participation in threat modeling, security requirement reviews, and architecture discussions.
Review application and solution architectures to identify security weaknesses, attack surfaces, and insecure design patterns, and provide remediation recommendations.
Perform security design reviews for web applications, APIs, microservices, containers, and serverless technologies to ensure secure implementation practices are followed.
Develop, document, and enforce secure coding standards, secure design guidelines, and application security procedures to ensure consistent and secure development practices.
Enhance and lead the Application Security and Penetration Testing program, including performing security and penetration testing and integrating automated security testing into CI/CD pipelines.
Conduct vulnerability triage, validation, and risk analysis using security tools, threat intelligence, and manual analysis, including false‑positive review and remediation prioritization.
Track remediation activities for identified application vulnerabilities and work with development teams to ensure timely resolution or appropriate risk acceptance documentation.
Provide technical guidance for remediation planning and recommend compensating controls when immediate remediation is not feasible.
Support monitoring and reporting activities by preparing vulnerability metrics, remediation status updates, trend analysis, and risk reports for leadership and stakeholders.
Develop and deliver secure coding awareness sessions, technical guidance, and application security training materials for development and engineering teams.
Review Requests for Change (RFCs), product enhancements, and system modifications from a security perspective to ensure security impacts and requirements are addressed.
Continuously monitor cloud and on‑premise environments for security events, anomalies, and potential threats, conduct thorough investigations to identify root causes and impacts, containment and recovery from security breaches, and prepare incident reports, including post‑incident analysis and lessons learned.
Partner with Compliance, Risk Management, Audit, Infrastructure Security, and DevOps teams to support audits, regulatory compliance efforts, and secure cloud adoption initiatives.
Ensure procedures, processes and technologies align with WAHBE security policies and regulatory compliance (e.g., CMS, IRS).
Work closely with delivery teams to ensure security requirements are factored into user stories and case development (including misuse, abuse, and confuse cases within Agile methodology).
Assess the security posture of new enterprise solutions to be procured by identifying security risk and providing secure cloud adoption guidance.
Provide technical security consultation and assessments for cloud environments and containers, emphasizing best practices and conducting comprehensive technical analysis.
Collaborate with WAHBE DevOps Team to integrate application security into CI/CD pipeline as part of SSDLC and enforce security in deployment workflows.
Assist in maintaining and updating WAHBE Security policies, procedures, and standards ensuring ongoing SSDLC adoption.
Collaborate with internal stakeholders, vendors, and external partners to ensure security integration and ongoing compliance, maintaining synchronization with the Security objectives.
Assist Application Security Lead in reviewing existing security capabilities and assist in defining roadmap and strategy for security enhancements.
Provide regular briefings to Application Security Lead and Information Security Manager (ISM), escalating issues and blockers as necessary.
Provide technical guidance on secure development and vulnerability management activities.
Stay current on industry trends, emerging threats, and relevant technologies, and communicate key insights to the Application Security Lead.
Perform other duties as assigned within the scope of application security.
Required Qualifications
Seven (7) years of information security experience in specialized roles such as, but not limited to, security architecture and design, security control implementation, penetration testing, application security, vulnerability management, and incident response.
Demonstrated knowledge of secure SDLC, secure architecture design, application security concepts, and cloud architecture including DevSecOps practices and shift‑left security integration.
Experience performing application security code reviews, roles and permissions matrix reviews, and practical application risk assessments, including manual and automated secure code reviews.
Experience working with common vulnerability assessment tools such as Nessus, Rapid7, Nmap, and Burp Suite, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) tools.
Advanced understanding of emerging cybersecurity threats, including application‑layer attacks, API abuse, and software supply chain vulnerabilities.
Strong analytical and problem‑solving skills with the ability to “think outside the box.”
Experience integrating security in infrastructure‑as‑code, CI/CD pipelines, and the software development lifecycle, including implementation of automated controls and continuous monitoring and security gates and pipeline enforcement policies.
Demonstrates strong interpersonal and collaboration skills, effectively partnering with internal management, staff, and cross‑functional teams as well as external partners and vendors.
Desired Qualifications
Bachelor’s degree in engineering, security or a technology‑related or closely allied field.
Experience working with application security methodologies such as OWASP.
Demonstrated experience in information security, data security, privacy, and data management, including secure handling of Personally Identifiable Information (PII), application‑level encryption, and key management.
Experience defining secure architectural requirements, security controls, and configuration standards in compliance with regulatory requirements.
Experience working with threat modeling frameworks such as STRIDE and MITRE ATT&CK, including application‑specific threat modeling, attack path analysis, and abuse case analysis.
Experience developing, reviewing, and updating security standards, procedures, awareness and training, including secure coding standards and developer training programs.
Demonstrates a solid understanding of the functions and operations of Security Information and Event Management (SIEM) systems, Endpoint Detection & Response.
Demonstrated experience in managing cyber incident response, including coordination with development teams for rapid patching and hotfix deployment.
Advanced understanding of emerging cybersecurity threats, including application‑layer attacks, API abuse, and software supply chain vulnerabilities.
Working Conditions Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. Irregular hours may be required. The position is primarily remote with occasional in‑person collaboration at the Olympia, Washington headquarters. Employees may need to travel occasionally and work irregular hours for meetings or trainings. The role requires using standard office furniture and equipment, including a setup for remote work. Employees are responsible for providing and maintaining a safe, ergonomic, and secure workspace at their remote location.
Special Requirements A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The background screen result must meet the Exchange’s eligibility standards.
Equal Employment Opportunity The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability, or protected veteran status. We participate in E‑Verify. You can view the Department of Justice’s Right‑to‑Work poster.
#J-18808-Ljbffr
Sprachkenntnisse
- English
Hinweis für Nutzer
Dieses Stellenangebot wurde von einem unserer Partner veröffentlicht. Sie können das Originalangebot einsehen hier.