Are you passionate about enhancing healthcare outcomes and empowering healthcare professionals? Join the HealthStream team and become a HealthStreamer! Together, we can make a difference in the world of healthcare.
Application Security Analyst
Location
United States
Posted
2 days ago
Salary
$78.6K - $85K / year
Seniority
Mid Level
Job Description
Application Security Analyst
HEALTHSTREAM INC
Role Description The Application Security Analyst plays a hands-on role in supporting and executing the application security program at HealthStream. Working closely with and under the guidance of the Sr. Application Security Architect, this role focuses on identifying, assessing, and helping remediate security vulnerabilities across our software products and cloud environments. The Analyst will partner with Engineering, DevOps, and Product teams to embed security practices into the software development lifecycle (SDLC), operate security tooling, and contribute to a culture of security awareness. This is an excellent opportunity for a motivated security professional looking to grow within a collaborative, mission-driven healthcare technology organization. Key Responsibilities - Adhere to all HealthStream security policies, procedures, and assigned training. - Application Security Testing & Vulnerability Management - Operate and manage automated application security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST). - Triage, validate, and prioritize vulnerability findings from security scans, penetration tests, and bug reports, working with development teams to track remediation to closure. - Conduct or support manual security assessments and penetration testing of web applications, APIs, and mobile applications. - Produce clear, actionable vulnerability reports with risk ratings and remediation guidance for development teams. - Manage and maintain vulnerability findings within the Snyk, Invicti and SonarQube or equivalent vulnerability management platform. - Secure Development Lifecycle (SDLC) Support - Support the integration of security into CI/CD pipelines and DevSecOps workflows, including automated security gate checks. - Participate in design and architecture reviews with a security lens, helping identify potential risks early in the development process. - Assist in threat modeling exercises for new features and systems under the guidance of the AppSec Architect. - Perform security-focused code reviews and provide developers with clear, constructive feedback and guidance. - Contribute to the maintenance of a secure code library and reusable security patterns for development teams. - Security Tooling & Cloud Security - Support the management and configuration of application security tools such as Synk, Invicti, SonarQube and DefectDojo. - Assist in implementing and monitoring security controls for cloud-based environments, including AWS and Azure. - Evaluate and test emerging security tools and contribute recommendations to the AppSec team. - Support API security testing and assist in securing third-party and open-source integrations. - Security Awareness & Collaboration - Collaborate with cross-functional teams including Engineering, DevOps, and Product to promote security best practices and a shift-left mindset. - Deliver security awareness content and assist in conducting security training sessions for development staff. - Stay current on emerging security threats, vulnerabilities (CVEs), and attack techniques, sharing relevant intelligence with the team. - Assist in maintaining security documentation, standards, runbooks, and internal knowledge base articles. - Support compliance-related activities, including evidence gathering for audits related to HIPAA, SOC 2, HITRUST or other applicable frameworks. FedRAMP experience is a plus. - Other Duties as assigned. Qualifications - Bachelor’s degree in information security, Computer Science, Software Engineering, or a related field. Equivalent practical experience will be considered. - 2 to 4 years of experience in application security, information security, or software development with a security focus. - Working knowledge of the OWASP Top 10, common web application vulnerabilities, and secure coding principles. - Hands-on experience with application security testing tools such as SAST, DAST, or IAST (e.g., Synk, Invicti, Checkmarx, SonarQube, Burp Suite, or similar). - Familiarity with cloud security concepts and hands-on exposure to AWS or Azure environments. - Understanding of CI/CD pipelines and experience integrating security checks into DevOps workflows. - Experience with API security testing and a solid understanding of RESTful service security. - Proficiency in at least one scripting or programming language such as Python, JavaScript, Java, or Go for automation and security tooling purposes. - Strong analytical and problem-solving skills with attention to detail. - Excellent written and verbal communication skills, with the ability to explain security concepts to both technical and non-technical audiences. - Ability to manage multiple tasks and vulnerabilities simultaneously, prioritizing effectively in a fast-paced environment. Requirements - Relevant security certifications such as CompTIA Security+, CEH (Certified Ethical Hacker), GWAPT, eWPT, or equivalent. - Experience using vulnerability management platforms such as Snyk, Invicti, or similar. - Familiarity with security frameworks and standards including OWASP SAMM, NIST, or CIS Controls. - Exposure to healthcare industry security and privacy regulations, including HIPAA. - Experience with secure methods of integration with third-party platforms and open-source components. - Participation in bug bounty programs, Capture the Flag (CTF) competitions, or open-source security research. - Awareness of AI/ML security trends and their implications for application security. - Experience with Identity and Access Management (IAM) security concepts and OAuth/OpenID Connect. Benefits - Medical, Dental and Vision insurance - Paid Time Off - Parental Leave - 401k and Roth - Flexible Spending Account - Health Savings Account - Life Insurance - Short- and Long-Term Disability - Medical Bridge Insurance - Critical Illness Insurance - Accident Insurance - Identity Protection - Legal Protection - Pet Insurance - Employee Assistance Program - Fitness Reimbursement
Related Guides
Related Categories
Related Job Pages
More Security Engineer Jobs
• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.
• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.
• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.
• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.
