We are searching for an experienced Application Security Architect who can utilize solid business knowledge and expert technical experience in security to help develop strategy, roadmap and execution for our Application Security program. In this role you will proactively work to discover security issues proactively during solution design and work to prevent vulnerabilities during development. You will be responsible for developing design patterns and development standards to help developers and architects build secure solutions. You will develop assessment frameworks to evaluate designs then be responsible for their execution. These processes will become especially pertinent in support of current technology modernization efforts with a big emphasis on cloud adoption and data science initiatives. This role will be part of a greenfield team which is tasked with building a new product security strategy...the work we do is brand new and we are building much of this stuff from the ground up using advanced capabilities built into CI/CD pipelines by our counterparts in software engineering. Additionally, this role will support our DH&A business which is a relatively new Humana acquisition to aggregate and perform predictive analysis on all of Humana's data, helping us to provide better health outcomes for our members.
Design of proactive application security frameworks to ensure the secure architecture and development of business solutions. This includes frameworks for performing consistent application security assessments and threat models as well as the development of secure design patterns and development standards.
There are significant opportunities for those with data science and machine learning experience.
Implementation of the above controls into a modern SDLC.
Conduct application security assessments, threat modeling and architecture reviews
Proactively communicate design and development principles to appropriate stakeholders
Proactively improve security designs to reduce vulnerabilities found after development of code
Influence stakeholders to correct security deficiencies in the solution design as well as developed code
Provide solutions to security deficiencies while allowing for necessary business and technical functionality
Automation and standardization of all applicable processes
In depth comprehension of the OWASP Top 10 and an ability to communicate with developers and application architects. Development or software architecture background is preferred.
Experience implementing application security frameworks such as BSIMM and SAMM
Expertise in performing cloud architecture reviews, application risk assessments and threat modeling
Experience in integrating security controls into all forms of SDLC including automation into a CI/CD pipeline
Communicate the need for security controls to a business audience, including justification of spend and effort
Analyzes business impact and exposure based on emerging security threats, vulnerabilities and risks, and recommends technologies and solutions to mitigate them.
Implement security considerations for in house developed, COTS and SaaS solutions
Translates technical concepts into plain language to show business risk
Collaborates with developers and software architects to adjust designs to securely meet business and technical requirements
Ability to lead and motivate a team
Ability to build and implement new security functions in an organization (greenfield).
Comfortable operating in an environment with constant change and ambiguity
Demonstrated experience leading and developing others by providing technical guidance and leadership to project teams.
Maintain team engagement through delegation and empowerment
Build relationships with development, software architecture and product management stakeholders
Experience working in highly regulated environments subject to HIPAA, HITrust, PCI or other related
Candidates must be willing to support west coast work hours and travel to San Francisco or Boston up to once per month.
Bachelor's degree in an IT-related field strongly preferred; post-graduate degree is a bonus, but not required
Knowledge and experience with the configuration of security controls and secure migration of enterprise applications to one of the major cloud providers such as Azure (preferred), Amazon Web Services, or Google Cloud.
Knowledge and experience with security solutions related to data science and machine learning are strongly desired
Experience with CI/CD pipelines
Automation and standardization of software security controls, particularly into a CI/CD pipeline