Application Security Principal

About The Position

Requirements

• Extensive experience designing and leading application security programs within complex enterprise environments.
• Strong background in software engineering with the ability to read, review, and reason about code for security issues.
• Hands-on experience integrating and operating modern AppSec tools such as Snyk, SonarCloud, GitHub Advanced Security, and CI/CD pipelines.
• Experience guiding developers in the effective and responsible use of AI-assisted development tools such as GitHub Copilot.
• Deep understanding of secure SDLC principles, threat modeling methodologies, and common application vulnerability classes.
• Experience securing cloud-native, API-driven, and microservices-based architectures.
• Strong knowledge of healthcare regulatory requirements, including HIPAA and HITRUST, and their application to software development.
• Proven ability to influence without authority and to build strong partnerships with engineering and product teams.
• Excellent communication and teaching skills, with the ability to translate security concepts into practical developer guidance.
• Demonstrated leadership, program management, and strategic planning capabilities.
• A high degree of personal accountability and trustworthiness, a commitment to working within Quantum Health’s policies, values and ethics, and protecting the sensitive data entrusted to us.

Responsibilities

• Create, own, and drive the enterprise Application Security program, including vision, strategy, roadmap, and operating model.
• Embed within software engineering projects to provide hands-on guidance for secure design, coding, testing, and deployment practices.
• Teach, mentor, and lead software engineers to improve secure coding skills and security decision-making throughout the SDLC.
• Define and operationalize a secure SDLC, including threat modeling, secure design reviews, automated security testing, and release controls.
• Own and optimize application security tooling and workflows, including Snyk, SonarCloud, GitHub Advanced Security, GitHub Copilot, Palisade, and related CI/CD integrations.
• Establish developer-friendly remediation workflows, including prioritized findings, fix guidance, and automation where possible.
• Partner with Engineering and Product leadership to align application security priorities with business objectives and delivery timelines.
• Lead threat modeling and architectural risk assessments for new applications, APIs, and major enhancements.
• Develop and track AppSec metrics and KPIs that demonstrate risk reduction, coverage, and program effectiveness.
• Ensure application security controls and practices meet HIPAA Security Rule and HITRUST CSF requirements and support audit readiness.
• Collaborate with infrastructure, cloud, and enterprise security teams on identity, secrets management, and secure platform patterns.
• Support security incident response activities related to application vulnerabilities and contribute to root-cause analysis and long-term remediation.
• Build and lead an application security champions or guild program to scale secure development practices across teams.
• All other duties as assigned.

Benefits

• Health, vision and dental featuring our best-in-class healthcare navigation services
• Life insurance
• Legal and identity protection
• Adoption assistance
• EAP
• Teladoc services
• 401(k) plan with up to 4% employer match and full vesting on day one
• Paid Time Off (PTO)
• 7 paid holidays
• Parental leave
• Volunteer days
• Paid sabbaticals
• Tuition reimbursement up to $5,250 annually
• Certification/continuing education reimbursement
• Discounted higher education partnerships
• Paid trainings
• Leadership development