Washington Health Benefit Exchange
Application Security Lead
Washington Health Benefit Exchange, Olympia, Washington, United States, 98502
The mission of Washington Health Benefit Exchange (Exchange) is to radically improve how Washington residents secure health insurance through innovative and practical solutions, an easy-to-use customer experience, our values of integrity, respect, equity and transparency, and by providing undeniable value to the health care community.The Exchange is a public-private partnership that operates Washington Healthplanfinder, the eligibility and enrollment portal used by one in four Washington residents to obtain health and dental coverage. Through this platform, and with support from a Customer Support Center and statewide network of in-person navigators and brokers, individuals and families can shop, compare and enroll in private, qualified health plans (as defined in the Affordable Care Act) or enroll in Washington Apple Health, the state Medicaid program.
The Exchange embraces the following equity statement adopted by our Board of Directors:
Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti-racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange’s area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.
Summary
The Application Security Lead position is responsible for leading assessment and validation of application and system security controls to help identify gaps in enterprise security and privacy controls. This position leads a variety of application security initiatives in the WAHBE Security Team and works closely with application development teams. The position provides security subject matter expertise to a variety of technical and non-technical audiences. This position also leads the development and implementation of a penetration testing strategic program plan. The position focuses on the use of out of the box applications in addition to internally developed applications and scripts with the focus on penetration testing. This position is also responsible for reporting findings and collaborating with technical staff for remediation.
Duties and Responsibilities
Plan, communicate, coordinate, and lead application security and penetration tests in addition to developing other security assessments for enterprise applications and systems.Lead the development of the WAHBE Penetration Testing strategic program and tactical plans including relevant areas of application security.Perform accurate validation and assessment of vulnerability scan results.Perform maintenance and operations of WAHBE Application Security toolsets.Develop scripts and other appropriate automation for repeatable tasks in vulnerability validation and application security testing (Dynamic Application Security Testing, Static Application Security Testing, Interactive Application Security Testing).Perform mobile application security testing and lead remediation of discovered vulnerabilities and privacy risks.Create comprehensive and accurate application security and penetration testing reports with recommendations for appropriate remediation.Participate in incident investigation and provide advanced analysis, as needed, and assist in development of strategies to respond to and recover from a security breach.Work with software developers on defining technical solutions for resolution of identified vulnerabilities.Select, recommend, install, configure, and customize security testing tools and develop procedures for suitable use of such tools during security assessments.Make appropriate use of automated tools during security assessments (Metasploit, Nmap, Nessus, Burp Suite, etc.)Perform security assessments of new enterprise solutions to be procured and implemented by WAHBE focusing on the underlying risk to the organization, providing consultation and recommendations as appropriate.Assist in developing training materials for advanced security roles and responsibilities including secure coding standards and technical guidance.Provide security consultation and assessments for cloud environments and containers, focused on best practices and technical analysis.Create Misuse, Abuse, and Confuse cases within the Agile methodology during user story/case development.Perform security analysis and consultation of product requirements and system changes (RFCs) in an Agile environment.Assist WAHBE with “shifting security to the left” by providing security consultation and technical analysis during the early stages of the SDLC to ensure security is built-in by design.Assist WAHBE with the Develops Program, building the CI/CD pipelines as necessary to integrate Application Security into the Secure Software Development Life Cycle (SDLC).Assist WAHBE in managing and updating policies, procedures, and standards utilizing the Secure Software Development Lifecycle.Work with the Risk Management Office in the remediation of vulnerabilities, audit findings and risks tracked and monitored. Liaise with enterprise architects and engineers to share best practices, insights, and requirements.Mentor junior positions in development of key skills necessary to defend the organization.Performs other duties as assigned within the scope of application security and penetration testing.Qualifications
Required:
7+ years of Information Security experience in specialized roles such as penetration testing, application development, application security testing or network security testing5-7 years in software development or IT security related fieldsExcellent understanding of securing SDLC, architecture design and IT operationsExperience performing application security code and roles matrix review and practical risk assessmentsExperience working with threat modeling frameworks (e.g., STRIDE, MITRE ATT&CK, etc.)Experience with common vulnerability assessment tools (e.g., Nessus, RAPID7, Nmap, Burp Suite)Experience with common networking tools (e.g., Wireshark, tcpdump, netcat)Excellent understanding of emerging cybersecurity threatsExcellent understanding of networks, hosting models and IT infrastructureStrong analytical and problem-solving skills with the ability to “think outside the box”Understanding of core Internet protocols and routing (e.g., DNS, HTTP, TCP, UDP, TLS, IPsec)Operational understanding of cryptography fundamentals (e.g., SSL/TLS, password security, filesystem encryption, etc.)Good verbal and written communication skillsAbility to mentor and coach both technical and non-technical resourcesCreative and proactive problem solver; must possess the ability to make independent decisions and judgments about work prioritiesWell organized, flexible, resourceful, and efficient with strong attention to detailStrong interpersonal skills: ability to work with all levels of internal management and staff, as well as outside clients, vendors, diverse populations, stakeholder groups, and customersDesired:
2-4 years penetration tester experienceExperience with securing cloud hosted systemsExperience working with application security methodologies such as OWASPExperience in mobile application securityExperience working with Security information and event managementExperience in the government and/or health care fields.Bachelor’s or Master’s degree in Cybersecurity or related field.
APPLICATION INSTRUCTIONS
This position will be open until we find a suitable number of candidates to review. If interested, please submit an application with a cover letter as soon as possible. The Exchange reserves the right to close the recruitment at any time.
SALARY INFORMATION
The hiring salary range is between minimum of $117,790 and the midpoint of $128,033 depending on candidate experience, internal equity, and the market. Our compensation policy reserves the salary range above the midpoint for meeting and exceeding expectations and growth and development, up to the maximum of $153,639.
BENEFITS
Take a peek at our benefits package.
WORKING CONDITIONS
Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. There are times where irregular hours will be required. The preferred duty station is in our Olympia, Washington facility. The nature of this role relies heavily on remote and in-person collaboration. While a hybrid remote and on-site schedule may be considered, the position will require flexibility to tailor in-office availability as business needs dictate. Travel requirements will be limited to local travel, however there may be occasions in which an employee is required to travel and work irregular hours to attend meetings or trainings. Duties of this position require the use of standard office furniture and equipment (e.g. desk, filing cabinet, computer, printer, telephone, fax machine, copy machine, etc.).
The working conditions and physical demands are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
SPECIAL REQUIREMENTS
A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The result of this background screen must meet the Exchange’s eligibility standards.
OTHER INFORMATION
The above statements are intended to describe the general nature and levels of work being performed. They are not intended to be construed as an exhaustive list of responsibilities, duties and skills of personnel so classified.
This is not an employment agreement or contract. Management has the exclusive right to alter this job description at any time without notice.
The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.
We participate in E-Verify. You can view the Department of Justice's Right to Work poster here.
The Exchange embraces the following equity statement adopted by our Board of Directors:
Equity is fundamental to the mission of the Washington Health Benefit Exchange. The process of advancing toward equity and becoming anti-racist is disruptive and demands vigilance to dismantle deeply entrenched systems of privilege and oppression. While systemic racism is a root cause of many societal inequities, we must also use an intersectional approach to address all forms of bias and oppression, which interact with and often exacerbate racial inequities. To be successful, we must recognize the socioeconomic drivers of health and focus on people and places where needs are greatest. As we listen to community, we must hold ourselves accountable to responding to recommendations to remedy inequitable policies, systems, or practices within the Exchange’s area of influence. Our goal is that all Washingtonians have full and equal access to opportunities, power and resources to achieve their full potential.
Summary
The Application Security Lead position is responsible for leading assessment and validation of application and system security controls to help identify gaps in enterprise security and privacy controls. This position leads a variety of application security initiatives in the WAHBE Security Team and works closely with application development teams. The position provides security subject matter expertise to a variety of technical and non-technical audiences. This position also leads the development and implementation of a penetration testing strategic program plan. The position focuses on the use of out of the box applications in addition to internally developed applications and scripts with the focus on penetration testing. This position is also responsible for reporting findings and collaborating with technical staff for remediation.
Duties and Responsibilities
Plan, communicate, coordinate, and lead application security and penetration tests in addition to developing other security assessments for enterprise applications and systems.Lead the development of the WAHBE Penetration Testing strategic program and tactical plans including relevant areas of application security.Perform accurate validation and assessment of vulnerability scan results.Perform maintenance and operations of WAHBE Application Security toolsets.Develop scripts and other appropriate automation for repeatable tasks in vulnerability validation and application security testing (Dynamic Application Security Testing, Static Application Security Testing, Interactive Application Security Testing).Perform mobile application security testing and lead remediation of discovered vulnerabilities and privacy risks.Create comprehensive and accurate application security and penetration testing reports with recommendations for appropriate remediation.Participate in incident investigation and provide advanced analysis, as needed, and assist in development of strategies to respond to and recover from a security breach.Work with software developers on defining technical solutions for resolution of identified vulnerabilities.Select, recommend, install, configure, and customize security testing tools and develop procedures for suitable use of such tools during security assessments.Make appropriate use of automated tools during security assessments (Metasploit, Nmap, Nessus, Burp Suite, etc.)Perform security assessments of new enterprise solutions to be procured and implemented by WAHBE focusing on the underlying risk to the organization, providing consultation and recommendations as appropriate.Assist in developing training materials for advanced security roles and responsibilities including secure coding standards and technical guidance.Provide security consultation and assessments for cloud environments and containers, focused on best practices and technical analysis.Create Misuse, Abuse, and Confuse cases within the Agile methodology during user story/case development.Perform security analysis and consultation of product requirements and system changes (RFCs) in an Agile environment.Assist WAHBE with “shifting security to the left” by providing security consultation and technical analysis during the early stages of the SDLC to ensure security is built-in by design.Assist WAHBE with the Develops Program, building the CI/CD pipelines as necessary to integrate Application Security into the Secure Software Development Life Cycle (SDLC).Assist WAHBE in managing and updating policies, procedures, and standards utilizing the Secure Software Development Lifecycle.Work with the Risk Management Office in the remediation of vulnerabilities, audit findings and risks tracked and monitored. Liaise with enterprise architects and engineers to share best practices, insights, and requirements.Mentor junior positions in development of key skills necessary to defend the organization.Performs other duties as assigned within the scope of application security and penetration testing.Qualifications
Required:
7+ years of Information Security experience in specialized roles such as penetration testing, application development, application security testing or network security testing5-7 years in software development or IT security related fieldsExcellent understanding of securing SDLC, architecture design and IT operationsExperience performing application security code and roles matrix review and practical risk assessmentsExperience working with threat modeling frameworks (e.g., STRIDE, MITRE ATT&CK, etc.)Experience with common vulnerability assessment tools (e.g., Nessus, RAPID7, Nmap, Burp Suite)Experience with common networking tools (e.g., Wireshark, tcpdump, netcat)Excellent understanding of emerging cybersecurity threatsExcellent understanding of networks, hosting models and IT infrastructureStrong analytical and problem-solving skills with the ability to “think outside the box”Understanding of core Internet protocols and routing (e.g., DNS, HTTP, TCP, UDP, TLS, IPsec)Operational understanding of cryptography fundamentals (e.g., SSL/TLS, password security, filesystem encryption, etc.)Good verbal and written communication skillsAbility to mentor and coach both technical and non-technical resourcesCreative and proactive problem solver; must possess the ability to make independent decisions and judgments about work prioritiesWell organized, flexible, resourceful, and efficient with strong attention to detailStrong interpersonal skills: ability to work with all levels of internal management and staff, as well as outside clients, vendors, diverse populations, stakeholder groups, and customersDesired:
2-4 years penetration tester experienceExperience with securing cloud hosted systemsExperience working with application security methodologies such as OWASPExperience in mobile application securityExperience working with Security information and event managementExperience in the government and/or health care fields.Bachelor’s or Master’s degree in Cybersecurity or related field.
APPLICATION INSTRUCTIONS
This position will be open until we find a suitable number of candidates to review. If interested, please submit an application with a cover letter as soon as possible. The Exchange reserves the right to close the recruitment at any time.
SALARY INFORMATION
The hiring salary range is between minimum of $117,790 and the midpoint of $128,033 depending on candidate experience, internal equity, and the market. Our compensation policy reserves the salary range above the midpoint for meeting and exceeding expectations and growth and development, up to the maximum of $153,639.
BENEFITS
Take a peek at our benefits package.
WORKING CONDITIONS
Core business hours are 8:00 a.m. to 5:00 p.m., Monday through Friday. There are times where irregular hours will be required. The preferred duty station is in our Olympia, Washington facility. The nature of this role relies heavily on remote and in-person collaboration. While a hybrid remote and on-site schedule may be considered, the position will require flexibility to tailor in-office availability as business needs dictate. Travel requirements will be limited to local travel, however there may be occasions in which an employee is required to travel and work irregular hours to attend meetings or trainings. Duties of this position require the use of standard office furniture and equipment (e.g. desk, filing cabinet, computer, printer, telephone, fax machine, copy machine, etc.).
The working conditions and physical demands are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
SPECIAL REQUIREMENTS
A criminal background screen will be conducted for candidates under final consideration, and if hired, every five years of employment where highly sensitive data is processed or maintained by the position. The result of this background screen must meet the Exchange’s eligibility standards.
OTHER INFORMATION
The above statements are intended to describe the general nature and levels of work being performed. They are not intended to be construed as an exhaustive list of responsibilities, duties and skills of personnel so classified.
This is not an employment agreement or contract. Management has the exclusive right to alter this job description at any time without notice.
The Washington Health Benefit Exchange is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, age, marital status, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.
We participate in E-Verify. You can view the Department of Justice's Right to Work poster here.