Application Security Engineer and Security Architect

Location: Remote (United States)

Department: IT and Security

About the role:

This is a hands-on role designed for a security professional who wants to grow into additional security architecture responsibilities while remaining deeply involved in application security. You will work closely with Engineering, DevOps, Data Science, Product, and GRC to secure APIs, infrastructure-as-code, cloud workloads, and healthcare data systems aligned with HITRUST, HIPAA, ISO 27001, and GDPR requirements.

You will focus primarily on strengthening application security practices while gradually expanding your influence on secure design patterns and architectural decisions as you grow in the role.

Key Responsibilities:

Application Security (Primary Focus)

• Perform secure code reviews across backend, frontend, API, and infrastructure-as-code components.
• Participate in and help facilitate threat modeling sessions for new features and system changes.
• Identify, validate, and support remediation of vulnerabilities discovered via SAST, DAST, SCA, container, and IaC scanning tools.
• Work directly with engineers to prioritize and remediate findings in a pragmatic, risk-based manner.
• Help maintain secure coding standards and developer security guidance.
• Track vulnerability remediation metrics and contribute to improving remediation velocity.

Infrastructure as Code & Cloud Security

• Review Infrastructure as Code (Terraform, CloudFormation, or similar) for security risks.
• Support implementation of policy-as-code guardrails and cloud security posture improvements.
• Help enforce least-privilege IAM and secure configuration baselines.
• Support encryption, secrets management, and secure configuration efforts across cloud environments.
• Assist in securing APIs, authentication/authorization flows, and third-party integrations.

DevSecOps & Tooling

• Integrate and tune security tools within CI/CD pipelines (GitHub-based workflows).
• Support dependency scanning, container scanning, and IaC scanning automation.
• Utilize observability tools such as Datadog to improve logging, alerting, and detection visibility.
• Contribute to dashboards and reporting that measure application security posture.

Third-Party Penetration Testing

• Coordinate and support third-party application and API penetration tests.
• Assist in scoping, validating, and triaging findings.
• Track remediation of external assessment findings through closure.
• Incorporate lessons learned into development practices to reduce repeat findings.

Compliance & Architecture Growth

• Translate regulatory requirements (HITRUST, HIPAA, ISO 27001, GDPR, SOC 2, NIST) into practical technical controls.
• Support audit evidence collection from a technical perspective.
• Gradually contribute to secure reference architectures and design standards.
• Participate in architecture discussions to ensure security considerations are embedded early.

Continuous Improvement

• Stay current on emerging vulnerabilities (OWASP Top 10, CVEs, supply chain risks).
• Contribute to improving the maturity and scalability of the application security program.
• Support application-layer investigations and remediation efforts when needed.

Qualifications

Required

• 3–5 years of experience in application security, DevSecOps, product security, or software engineering with a strong security focus.
• Hands-on experience with secure code review, threat modeling fundamentals, CI/CD security integration, and security scanning tools.
• Familiarity with Infrastructure as Code (Terraform, CloudFormation, or similar).
• Experience working in GitHub-based development environments.
• Familiarity with monitoring and observability tools such as Datadog.
• Experience participating in or coordinating third-party application penetration testing.
• Experience working in cloud-native SaaS environments (AWS, Azure, or GCP).
• Understanding of security frameworks such as HITRUST, HIPAA, ISO 27001, GDPR, SOC 2, or NIST.
• Strong analytical, documentation, and communication skills.

Preferred

• Relevant Certifications: Security+, CISSP (Associate Acceptable), CCSP, CISM, AWS Security Speciality or equivalent, HITRUST CCSFP, SABSA Foundation (Security Architecture certification)
• Experience in healthcare, digital health, or regulated SaaS environments handling PHI.
• Experience supporting HITRUST certification efforts.
• Experience securing APIs and authentication/authorization mechanisms.
• Familiarity with Kubernetes security.
• Exposure to AI/ML data pipeline security.
• Experience writing automation scripts (Python, Bash, or similar).
• Demonstrated interest in developing broader security architecture expertise.

Location

xCures operates in a distributed, remote-first environment. Candidates may be located anywhere in the United States. Occasional travel to company offsites or key meetings may be required.

The successful candidate must already have authorization to work in the United States. At this time, xCures does not offer sponsorship.

Benefits

• Salary Range : 100,000 to 180,000 annually
• Medical, Dental, Vision insurance
• 401k
• Equity options

xCures is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.

Agency Notice: xCures does not accept unsolicited resumes from staffing agencies, search firms, or other third-party recruiters. Any resumes submitted without a signed, active agreement with xCures will not be considered, and no fee will be paid in the event of a hire.

About the Company

About xCures

xCures is redefining how healthcare organizations in the US access, trust, and act on patient data. Our mission is to ensure that critical patient information is available when, where, and how it’s needed most — helping care providers and partners make faster, better-informed decisions that improve health outcomes.

Our AI-powered software platform aggregates, structures, normalizes, and distills patient health data from care encounters nationwide. Our driving purpose is to equip our partners with the critical pieces of validated, traceable information that they need to render care and services in a form that inspires confidence and provides real clinical utility.

At xCures, we hold ourselves to the highest standards of quality and trust. Like the tools we build, our work is driven by precision, performance, and purpose. xCures is excited to champion responsible interoperability and the transformative potential of AI in healthcare, when done with the right values front of mind.