Application Security Analyst

About The Position

Requirements

• Bachelor’s degree in information security, Computer Science, Software Engineering, or a related field. Equivalent practical experience will be considered.
• 2 to 4 years of experience in application security, information security, or software development with a security focus.
• Working knowledge of the OWASP Top 10, common web application vulnerabilities, and secure coding principles.
• Hands-on experience with application security testing tools such as SAST, DAST, or IAST (e.g., Synk, Invicti, Checkmarx, SonarQube, Burp Suite, or similar).
• Familiarity with cloud security concepts and hands-on exposure to AWS or Azure environments.
• Understanding of CI/CD pipelines and experience integrating security checks into DevOps workflows.
• Experience with API security testing and a solid understanding of RESTful service security.
• Proficiency in at least one scripting or programming language such as Python, JavaScript, Java, or Go for automation and security tooling purposes.
• Strong analytical and problem-solving skills with attention to detail.
• Excellent written and verbal communication skills, with the ability to explain security concepts to both technical and non-technical audiences.
• Ability to manage multiple tasks and vulnerabilities simultaneously, prioritizing effectively in a fast-paced environment.

Nice To Haves

• Relevant security certifications such as CompTIA Security+, CEH (Certified Ethical Hacker), GWAPT, eWPT, or equivalent.
• Experience using vulnerability management platforms such as Snyk, Invicti, or similar.
• Familiarity with security frameworks and standards including OWASP SAMM, NIST, or CIS Controls.
• Exposure to healthcare industry security and privacy regulations, including HIPAA.
• Experience with secure methods of integration with third-party platforms and open-source components.
• Participation in bug bounty programs, Capture the Flag (CTF) competitions, or open-source security research.
• Awareness of AI/ML security trends and their implications for application security.
• Experience with Identity and Access Management (IAM) security concepts and OAuth/OpenID Connect.
• FedRAMP experience is a plus.

Responsibilities

• Adhering to all HealthStream security policies, procedures, and assigned training.
• Operating and managing automated application security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).
• Triaging, validating, and prioritizing vulnerability findings from security scans, penetration tests, and bug reports, working with development teams to track remediation to closure.
• Conducting or supporting manual security assessments and penetration testing of web applications, APIs, and mobile applications.
• Producing clear, actionable vulnerability reports with risk ratings and remediation guidance for development teams.
• Managing and maintaining vulnerability findings within the Snyk, Invicti and SonarQube or equivalent vulnerability management platform.
• Supporting the integration of security into CI/CD pipelines and DevSecOps workflows, including automated security gate checks.
• Participating in design and architecture reviews with a security lens, helping identify potential risks early in the development process.
• Assisting in threat modeling exercises for new features and systems under the guidance of the AppSec Architect.
• Performing security-focused code reviews and providing developers with clear, constructive feedback and guidance.
• Contributing to the maintenance of a secure code library and reusable security patterns for development teams.
• Supporting the management and configuration of application security tools such as Synk, Invicti, SonarQube and DefectDojo.
• Assisting in implementing and monitoring security controls for cloud-based environments, including AWS and Azure.
• Evaluating and testing emerging security tools and contributing recommendations to the AppSec team.
• Supporting API security testing and assisting in securing third-party and open-source integrations.
• Collaborating with cross-functional teams including Engineering, DevOps, and Product to promote security best practices and a shift-left mindset.
• Delivering security awareness content and assisting in conducting security training sessions for development staff.
• Staying current on emerging security threats, vulnerabilities (CVEs), and attack techniques, sharing relevant intelligence with the team.
• Assisting in maintaining security documentation, standards, runbooks, and internal knowledge base articles.
• Supporting compliance-related activities, including evidence gathering for audits related to HIPAA, SOC 2, HITRUST or other applicable frameworks.
• Other duties as assigned.

Benefits

• Medical, Dental and Vision insurance
• Paid Time Off
• Parental Leave
• 401k and Roth
• Flexible Spending Account
• Health Savings Account
• Life Insurance
• Short- and Long-Term Disability
• Medical Bridge Insurance
• Critical Illness Insurance
• Accident Insurance
• Identity Protection
• Legal Protection
• Pet Insurance
• Employee Assistance Program
• Fitness Reimbursement