Share this Job
Apply now »


Department:  Cyber Security
Status:  Full Time
Shift:  1st

Job Summary 

The Application Security Engineer is responsible for helping Hoag developers follow a clearly defined secure software development lifecycle process, enforce application security principles, and promote secure application design/architecture techniques based on security best practices.  

The Application Security Engineer will ensure that application security fundamentals are followed by leveraging security control measures that map to each stage of the software development lifecycle. In addition, the Application Security Engineer will enforce the use of strong authentication, authorization, and employ secure session management to prevent unauthorized access.  

The Application Security Engineer is an integral part of Hoag’s cybersecurity department reporting to the Cyber Security Engineering Manager. This position will help shape new Hoag applications that host sensitive data such as PHI/PII, and must meet data protection and regulatory requirements. Ultimately, the Application Security Engineer will uphold the sterling reputation of Hoag and mitigate cyber risk. 


Education and Experience  

Bachelor’s degree in Cyber Security, Computer Science, Computer Information Systems, Engineering, Business, or related technical field; Additional equivalent work experience may be substituted for the degree requirement 

Three to five (3-5) years as a Application Security Engineer, DevSecOps Engineer, Application Penetration Tester, or Security Software Engineer required 

Three (3+) or more years working with secure coding practices, secure application design, secure application architecture, and fluency with API’s and command line tools required 

Three (3+) or more years cybersecurity experience including secure web architecture, secure web development, and security requirements gathering 

Five (5+) or more years of advanced working knowledge of Windows and Linux operating systems required 

Demonstrated experience with the capabilities and APIs of multiple major cloud providers (AWS, Azure, Google) required 

Implementing and operating security related tooling such as SAST, DAST, SCA, and SOAR required 

Knowledge of software security maturity frameworks (BSIMM, OpenSAMM) 

Ability to use automation tooling and frameworks such as Jenkins, AWS CodeDeploy, Chef, and Terraform required 

Expierence with Cloud Security, Application Security Engineering and Cloud Application Security.  

Experience in a hospital or health care related organization of similar size and complexity preferred 

Experience with DevOps and CI/CD Pipelines 

Experience with OWASP Top 10, including authentication/authorization (CSRF) and injection (SQLi, XSS) attacks 

Expereince with secure coding practices for input validation, authentication, authorization, error handeling, session management, and cryptography 

Experience with secure deployment and maintenance of code and libraries 

Knowledge of web proxy and API testing tools (BurpSuite, ZAP, Postman) pen testing tools like Metasploit, Kali Linux, etc.) 

Experience writing standard operating procedures, systems requirements, and general documentation 

Experience implementing and maintaining cloud-based applications in Amazon Web Services  required 

Experience working with cloud security and governance tools, cloud access security brokers (CASBs), and server virtualization technologies required 

Experience with Open Security Controls Assessment Language (OSCAL) 

Strong working knowledge of software defined lifecycle, automation tools, and orchestration required 

Perform application security operations including vulnerability management, data loss/leak prevention, and incident response 

Strong oral and written communication skills and ability to gauge the audience and speak at appropriate levels.  The ability to put complex concepts in a clear and concise form required 

Excellent time management skills required, ability to set priorities and meet obligations in a timely manner 


Licenses Required 

Current CA driver’s license required for local travel 


Certifications Required "minimum of having two of the following"

EC-Council Certified Application Security Engineer (CASE) 

Certified Secure Software Lifecycle Professional (CSSLP) or CISSP 

AWS Certified Security Specialist 

GIAC Certified Web Application Defender (GWEB) 

GIAC Web Application Penetration Tester (GWAPT) 

Nearest Major Market: Orange County
Nearest Secondary Market: Los Angeles

Job Segment: Corporate Security, Application Engineering, Information Security, Engineer, Security, Engineering, Technology

Apply now »