Auris | formerly Heartland
Senior Application Security Engineer
Auris | formerly Heartland, Oklahoma City, Oklahoma, United States, 73116
Department:
Information Security
Reports to:
Senior Director, Information Security
Role Summary You will be a hands‑on technical engineer who embeds security into how software is designed, built, and operated. You’ll create paved‑road patterns, wire security controls into CI/CD, and drive remediation through a risk‑based lens. Success in this role means making the secure way the easy way, reducing time‑to‑fix, and measurably lowering product risk without slowing delivery.
What You’ll Do (Core Responsibilities)
Build & Automate Secure‑by‑Default
Design and maintain paved road templates (reference repos, IaC, CI/CD workflows) that ship with SAST, SCA, secrets scanning, IaC/container scanning, SBOM generation, artifact signing/attestation, and policy gates.
Integrate and tune AppSec tools in developer workflows (IDE hints, PR annotations, pipeline gates); author custom rules where off‑the‑shelf signals are noisy.
Engineer data flows that aggregate/dedupe/correlate findings into a single vulnerability backlog with risk scoring (severity × exploitability × exposure × asset criticality; KEV overrides).
Secure SDLC & Architecture
Lead threat modeling and design reviews for high‑risk features (authn/z boundaries, multi‑tenant isolation, API abuse, data protection).
Write and evolve secure coding standards and language‑specific guardrails (PHP/.NET/Node) aligned to industry best practice.
Partner with platform teams on supply‑chain security (dependency policies, third‑party library allow/deny lists).
Validate & Defend
Stand up DAST/API testing (REST/GraphQL), targeted fuzzing for parsers/critical endpoints, and pre‑prod abuse testing (authz under load, rate limiting, broken object/property level auth).
Coordinate external pen tests and triage bug bounty submissions; drive root‑cause fixes and pattern‑level remediations.
Improve runtime protection with WAF/API gateways, and egress controls.
Vulnerability Management & Risk
Own triage for critical services; set SLAs by severity and exploitability; elevate KEV/autowormable issues as emergency response.
Create dashboards that separate leading (coverage, scan on PRs, time‑to‑triage) from lagging (MTTR, open > SLA) and business metrics.
Minimum Qualifications
5+ years in AppSec/Software Security/DevSecOps (or strong software engineering background plus 2+ years AppSec).
Proficiency in at least one major language (e.g., PHP, C#/.NET, JavaScript/TypeScript, Python, or Go) and ability to read others.
Hands‑on with modern AppSec tools and patterns: SAST/SCA/DAST, secrets scanning, SBOM & artifact signing, container/IaC scanning, API testing, WAF/API gateway policy.
CI/CD integration experience (GitHub Actions/GitLab/Jenkins/Azure DevOps/Harness); policy‑as‑code mindset.
Practical understanding of cloud‑native architectures (AWS/Azure/GCP), Kubernetes fundamentals, and common identity patterns (OIDC/OAuth2, session mgmt).
Demonstrated ability to turn noisy scanner output into actionable, prioritized remediation work.
Preferred Qualifications
Operating knowledge of NIST SSDF, OWASP SAMM/ASVS, and SLSA; experience aligning controls to PCI/SOC2/ISO (as relevant).
Building/maintaining golden path templates; writing custom rules for SAST/SCA or Semgrep/CodeQL queries.
Exposure to bug bounty ops and pen test orchestration.
Relevant certifications (CSSLP, OSWE, GWAPT, GCSA) are a plus but not required.
Behavioral Competencies
Enablement first: you remove friction and build guardrails developers want to use.
Systems thinker: you fix root causes and codify them into templates and rules.
Data‑driven: you choose battles via risk signals (KEV, exploitability, exposure).
Clear communicator: you translate risk into engineering work and business impact.
Why Join Us At Acrisure, we’re building more than a business, we’re building a community where people can grow, thrive, and make an impact. Our benefits support every dimension of your life.
We have pledged more than $22 million through partnerships with charitable hospitals in Michigan, Pennsylvania, and New York.
Employee Benefits
Physical Wellness: Comprehensive medical, dental, and vision insurance; life and disability insurance; fertility benefits; wellness resources; paid sick time.
Mental Wellness: Generous paid time off and holidays; Employee Assistance Program; complimentary Calm app subscription.
Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account and Flexible Spending Account options; commuter benefits; employee discount programs.
Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; pet insurance coverage.
… and so much more!
This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location.
Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race, color, religion, sex, national origin, disability, or protected veteran status. Applicants may request reasonable accommodation by contacting leaves@acrisure.com.
California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy.
Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice.
Welcome, your new opportunity awaits you.
Candidates should be comfortable with an on‑site presence to support collaboration, team leadership, and cross‑functional partnership.
#Auris
#J-18808-Ljbffr
Information Security
Reports to:
Senior Director, Information Security
Role Summary You will be a hands‑on technical engineer who embeds security into how software is designed, built, and operated. You’ll create paved‑road patterns, wire security controls into CI/CD, and drive remediation through a risk‑based lens. Success in this role means making the secure way the easy way, reducing time‑to‑fix, and measurably lowering product risk without slowing delivery.
What You’ll Do (Core Responsibilities)
Build & Automate Secure‑by‑Default
Design and maintain paved road templates (reference repos, IaC, CI/CD workflows) that ship with SAST, SCA, secrets scanning, IaC/container scanning, SBOM generation, artifact signing/attestation, and policy gates.
Integrate and tune AppSec tools in developer workflows (IDE hints, PR annotations, pipeline gates); author custom rules where off‑the‑shelf signals are noisy.
Engineer data flows that aggregate/dedupe/correlate findings into a single vulnerability backlog with risk scoring (severity × exploitability × exposure × asset criticality; KEV overrides).
Secure SDLC & Architecture
Lead threat modeling and design reviews for high‑risk features (authn/z boundaries, multi‑tenant isolation, API abuse, data protection).
Write and evolve secure coding standards and language‑specific guardrails (PHP/.NET/Node) aligned to industry best practice.
Partner with platform teams on supply‑chain security (dependency policies, third‑party library allow/deny lists).
Validate & Defend
Stand up DAST/API testing (REST/GraphQL), targeted fuzzing for parsers/critical endpoints, and pre‑prod abuse testing (authz under load, rate limiting, broken object/property level auth).
Coordinate external pen tests and triage bug bounty submissions; drive root‑cause fixes and pattern‑level remediations.
Improve runtime protection with WAF/API gateways, and egress controls.
Vulnerability Management & Risk
Own triage for critical services; set SLAs by severity and exploitability; elevate KEV/autowormable issues as emergency response.
Create dashboards that separate leading (coverage, scan on PRs, time‑to‑triage) from lagging (MTTR, open > SLA) and business metrics.
Minimum Qualifications
5+ years in AppSec/Software Security/DevSecOps (or strong software engineering background plus 2+ years AppSec).
Proficiency in at least one major language (e.g., PHP, C#/.NET, JavaScript/TypeScript, Python, or Go) and ability to read others.
Hands‑on with modern AppSec tools and patterns: SAST/SCA/DAST, secrets scanning, SBOM & artifact signing, container/IaC scanning, API testing, WAF/API gateway policy.
CI/CD integration experience (GitHub Actions/GitLab/Jenkins/Azure DevOps/Harness); policy‑as‑code mindset.
Practical understanding of cloud‑native architectures (AWS/Azure/GCP), Kubernetes fundamentals, and common identity patterns (OIDC/OAuth2, session mgmt).
Demonstrated ability to turn noisy scanner output into actionable, prioritized remediation work.
Preferred Qualifications
Operating knowledge of NIST SSDF, OWASP SAMM/ASVS, and SLSA; experience aligning controls to PCI/SOC2/ISO (as relevant).
Building/maintaining golden path templates; writing custom rules for SAST/SCA or Semgrep/CodeQL queries.
Exposure to bug bounty ops and pen test orchestration.
Relevant certifications (CSSLP, OSWE, GWAPT, GCSA) are a plus but not required.
Behavioral Competencies
Enablement first: you remove friction and build guardrails developers want to use.
Systems thinker: you fix root causes and codify them into templates and rules.
Data‑driven: you choose battles via risk signals (KEV, exploitability, exposure).
Clear communicator: you translate risk into engineering work and business impact.
Why Join Us At Acrisure, we’re building more than a business, we’re building a community where people can grow, thrive, and make an impact. Our benefits support every dimension of your life.
We have pledged more than $22 million through partnerships with charitable hospitals in Michigan, Pennsylvania, and New York.
Employee Benefits
Physical Wellness: Comprehensive medical, dental, and vision insurance; life and disability insurance; fertility benefits; wellness resources; paid sick time.
Mental Wellness: Generous paid time off and holidays; Employee Assistance Program; complimentary Calm app subscription.
Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account and Flexible Spending Account options; commuter benefits; employee discount programs.
Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; pet insurance coverage.
… and so much more!
This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location.
Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race, color, religion, sex, national origin, disability, or protected veteran status. Applicants may request reasonable accommodation by contacting leaves@acrisure.com.
California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy.
Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice.
Welcome, your new opportunity awaits you.
Candidates should be comfortable with an on‑site presence to support collaboration, team leadership, and cross‑functional partnership.
#Auris
#J-18808-Ljbffr