Application Security Analyst
IT
United States
USD 75k-110k / year
About Sound
Founded in 2001 and headquartered in Nashville, TN, Sound Physicians is a nationally respected, physician-led medical group practicing in 400+ hospitals across 45 states. Our team of 4,000+ clinicians and 1,000+ business professionals across the country is united by one mission: to build exceptional clinical partnerships that unlock quality, affordable, dignified care for everyone – no matter who they are or where they live. With physician-led clinical teams and more than two decades of operational expertise, we’ve refined what it takes to consistently deliver exceptional care in hospital medicine, emergency medicine, critical care, anesthesia, and telemedicine.
Why join us?
- A remote-first culture that values flexibility and collaboration
- Opportunities to grow your career while making a real impact
- A team that champions inclusivity, innovation, and excellence
Whether working virtually or onsite at one of our practices, you’ll be part of a purpose-driven organization shaping the future of healthcare.
Sound Physicians offers a competitive benefits package inclusive of the items below, and more:
- Medical insurance, Dental insurance, and Vision insurance
- Health care and dependent care flexible spending account
- 401(k) retirement savings plan with a company match
- Paid time off (PTO) begins accruing immediately upon start date at a rate of 15 days per year, in accordance with Sound's PTO policy
- Ten company-paid holidays per year
About the Role
The Application Security Analyst helps embed security into the software delivery lifecycle by partnering with development, platform, cloud, and security teams to build secure-by-default processes. This role focuses on reducing risk through automation, continuous testing, secure configuration, and practical guidance that enables teams to ship software quickly and safely. The ideal candidate possesses a strong understanding of application security principles, secure coding practices, cloud security controls, vulnerability management, and modern DevSecOps methodologies.
The Details:
- Participation in the after-hours security incident response and on-call rotation is part of the role.
Essential Duties and Responsibilities
- Integrate security controls and automated checks into CI/CD pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), secret scanning, container security scanning, and Infrastructure-as-Code (IaC) validation.
- Partner with developers and platform engineers to identify, prioritize, and remediate application, API, container, and cloud security risks early in the development lifecycle.
- Perform application security assessments, architecture reviews, and threat modeling exercises for new and existing applications.
- Support vulnerability management by validating findings, reducing false positives, tracking remediation, and helping define risk-based service-level expectations.
- Conduct secure code reviews and provide guidance on secure coding practices aligned with OWASP Top 10, CWE, and industry standards.
- Perform security reviews for application architecture, deployment patterns, third-party components, and cloud configurations.
- Develop and maintain secure pipeline standards, reusable guardrails, and policy-as-code checks that improve consistency without creating unnecessary delivery friction.
- Collaborate with engineering, infrastructure, and security operations teams on incident response, root cause analysis, and hardening activities related to software delivery platforms.
- Create and maintain documentation, standards, playbooks, and training materials related to application security, secure development, and DevSecOps practices.
- Track vulnerability trends, security metrics, and recurring issues to improve security maturity across build, release, and runtime workflows.
- Stay current on emerging threats, attack techniques, vulnerabilities, and security technologies relevant to application and cloud security.
Values
- Collaborative: Demonstrates the ability to work well with others to accomplish a goal and get the work done; takes opinions of others into consideration; includes others in the decision-making process.
- Eager to Learn: Proactively seeks out information, embraces learning new things and enjoys the learning process.
- Intellectually curious: Demonstrates a genuine interest in learning new things and wants to know the reason “why” behind the way things are done.
- Committed: Demonstrates dedication to the job, project, organization, customer/clients and co-workers.
- Resourceful: Proactive willingness to utilize available information and tools to figure things out.
Knowledge, Skills, and Abilities
- Strong understanding of application security concepts, secure coding practices, and common attack vectors.
- Strong understanding of application security concepts, secure coding practices, and common attack vectors.
- Knowledge of security testing methodologies including SAST, DAST, SCA, penetration testing, secret scanning, and IaC security assessments.
- Familiarity with cloud platforms such as Azure and AWS.
- Familiarity with CI/CD platforms such as Azure DevOps, GitHub Actions, GitLab CI, or Jenkins.
- Knowledge of OWASP Top 10, OWASP API Security Top 10, MITRE ATT&CK, and NIST Cybersecurity Framework.
- Experience with application security platforms such as Veracode, Checkmarx, Fortify, SonarQube, Snyk, Mend, Burp Suite, Rapid7 InsightAppSec, or similar tools.
- Familiarity with scripting and automation using Python, Powershell, Bash, or similar languages.
- Experience securing containerized applications and platforms (Docker, Kubernetes, OpenShift, AKS, EKS, or GKE), including container image scanning, runtime security monitoring, admission controls, and Kubernetes security best practices.
- Knowledge of container technologies, source control workflows, and modern software delivery practices.
- Familiarity with common static and dynamic application security tools.
- Ability to analyze security findings, assess risk, and communicate remediation recommendations effectively to technical and non-technical stakeholders.
- Familiarity with AI-assisted development processes and appropriate security controls.
- Strong written and verbal communication skills.
- Ability to translate technical issues into clear guidance and action plans
- Knowledge of cloud-native security controls.
- Familiarity with Kubernetes, Terraform, and similar Infrastructure-as-Code tools.
- Familiarity with secrets management, PKI, certificate management, and cryptographic controls.
- Knowledge of compliance frameworks such as NIST CSF, NIST 800-53, HIPAA, PCI DSS, SOC 2, ISO 27001, and HITRUST.
Education and Experience
- Bachelor’s degree in Computer Science, Information Security, or related field, with industry-recognized certifications such as CSSLP (Certified Secure Software Lifecycle Professional), GWAPT (GIAC Web Application Penetration Tester), OSWE (Offensive Security Web Expert), CEH (Certified Ethical Hacker)
- 4+ years of experience in application security, DevOps, cloud security, security engineering, or a related cybersecurity role.
- Knowledge of scripting and programming languages such as Python, PowerShell, Java, JavaScript, C#, or Go is highly desirable and considered a plus.
- Experience supporting regulated environments such as healthcare, financial services, or other compliance-driven industries.
Salary Range
- This position offers an annual salary range of $75,000 to $110,000. Exact salary will depend on the candidate’s experience, education and geographic location.
Sound Physicians is an Equal Employment Opportunity (EEO) employer and is committed to diversity, equity, and inclusion at the bedside and in our workforce. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, gender identity, sexual orientation, age, marital status, veteran status, disability status, or any other characteristic protected by federal, state, or local laws.
This job description reflects the present requirements of the position. As duties and responsibilities change and develop, the job description will be reviewed and subject to amendment.
