Application Security Engineer

<div class="content-intro"><p>Inovalon was founded in 1998 on the belief that technology, and data specifically, would empower the transformation of the entire healthcare ecosystem for the better, improving both outcomes and economics. At Inovalon, we believe that when our customers are successful in their missions, healthcare improves. Therefore, we focus on empowering them with data-driven solutions. And the momentum is building.</p> <p>Together, as ONE Inovalon, we are a united force delivering solutions that address healthcare’s greatest needs. Through our mission-based culture of inclusion and innovation, our organization brings value not just to our customers, but to the millions of patients and members they serve.</p></div><p></p> <p><strong>Role Overview</strong></p> <p>We are seeking a Staff Software Engineer with a strong focus on application security to serve as a technical leader responsible for embedding security across the design, development, and operation of our cloud‑native SaaS platforms. This role plays a critical part in establishing secure coding standards, and ensuring that security risks, requirements, and controls are effectively implemented, tested, and validated throughout the product lifecycle.</p> <p>The ideal candidate has hands‑on experience securing SaaS applications operating under HIPAA and PCI compliance requirements, and acts as a trusted partner to Engineering, Architecture, Quality Engineering, DevSecOps, and Compliance teams. This is not a policy‑only or audit‑only role—the Staff Engineer is expected to lead through technical depth, influence, and hands‑on contribution.</p> <p>&nbsp;</p> <p><strong>Key Responsibilities</strong></p> <p><strong>Secure Software Engineering &amp; Technical Leadership</strong></p> <ul> <li>Act as a <strong>security engineering subject matter expert</strong> across multiple teams or services.</li> <li>Establish, document, and evolve <strong>secure coding standards, patterns, and best practices</strong> for SaaS applications.</li> <li>Lead and participate in <strong>secure design and code reviews</strong>, identifying security flaws, architectural risks, and improper patterns early.</li> <li>Collaborate with engineers to remediate vulnerabilities in a maintainable and scalable manner.</li> <li>Ensure security considerations are balanced with performance, reliability, and developer productivity.</li> </ul> <p><strong>Risk &amp; Architecture Security</strong></p> <ul> <li>Identify assets, trust boundaries, attack surfaces, and data flows—including PHI and payment data.</li> <li>Define, track, and manage <strong>security risks, mitigations, and accepted residual risks</strong> as engineering artifacts.</li> </ul> <p><strong>Security Requirements &amp; Controls</strong></p> <ul> <li>Translate threats and regulatory obligations into <strong>clear, actionable, testable security requirements</strong>.</li> <li>Ensure security requirements are incorporated into: <ul> <li>Architecture decisions</li> <li>Product backlogs</li> <li>Acceptance criteria and definitions of done</li> </ul> </li> <li>Define and validate security controls for: <ul> <li>Authentication and authorization</li> <li>Encryption and key management</li> <li>Secure session management</li> <li>Protection of PHI and cardholder data</li> </ul> </li> </ul> <p><strong>SaaS, Compliance &amp; Regulated Environments</strong></p> <ul> <li>Provide security engineering leadership for <strong>SaaS applications subject to HIPAA and PCI DSS</strong> requirements.</li> <li>Partner with Compliance, Risk, and Audit teams to ensure engineering designs and implementations support regulatory obligations without excessive friction.</li> <li>Ensure compliance requirements are addressed through <strong>engineering controls and testable validation</strong>, not manual processes alone.</li> </ul> <p><strong>Testing, Validation &amp; Secure SDLC</strong></p> <ul> <li>Partner with Quality Engineering and DevSecOps to validate security controls using: <ul> <li>Secure code analysis</li> <li>Threat‑driven test scenarios</li> <li>Security regression testing</li> </ul> </li> <li>Verify that mitigations identified through threat modeling are <strong>correctly implemented and effective</strong> prior to release.</li> <li>Support penetration testing, security assessments, and remediation efforts, ensuring findings are resolved sustainably.</li> </ul> <p><strong>Collaboration &amp; Influence</strong></p> <ul> <li>Influence security posture across teams through <strong>technical leadership</strong>, not enforcement.</li> <li>Coach engineers on secure design patterns and common security pitfalls.</li> <li>Serve as a key technical contributor during incident response, root‑cause analysis, and security retrospectives.</li> </ul> <p>&nbsp;</p> <p><strong>Required Qualifications</strong></p> <ul> <li>6+ years of experience as a <strong>Software Engineer</strong>, with strong emphasis on <strong>application security</strong>.</li> <li>Proven experience securing <strong>cloud‑native SaaS applications</strong>.</li> <li>Hands‑on experience establishing or enforcing <strong>secure coding standards</strong>.</li> <li>Strong understanding of: <ul> <li>Authentication and authorization failures</li> <li>Secure session management</li> <li>Injection and input validation risks</li> <li>Encryption, key management, and data protection</li> </ul> </li> <li>Experience working in <strong>Agile development environments</strong>.</li> </ul> <p>&nbsp;</p> <p><strong>Required Domain Experience</strong></p> <ul> <li>Experience supporting <strong>HIPAA‑regulated systems</strong>, including protection of PHI.</li> <li>Experience working with or supporting <strong>PCI DSS‑scoped applications</strong> and payment data flows.</li> <li>Understanding of how compliance requirements translate into <strong>practical engineering controls</strong>.</li> </ul> <p>&nbsp;</p> <p><strong>Preferred Certifications</strong></p> <p>One or more of the following are <strong>strongly preferred</strong>:</p> <ul> <li>CSSLP – Certified Secure Software Lifecycle Professional</li> <li>Cloud security certifications (GCP or equivalent security specialization)</li> <li>Application‑security‑focused certifications (e.g., GWAPT, GWEB)</li> </ul> <p></p><div class="content-conclusion"><p><em><span data-contrast="auto">This position is not eligible for immigration sponsorship (e.g. H-1B, TN, or E-3). Applicants must be authorized to work in the United States as a condition of employment. (This is only applicable for US-based positions)</span></em></p> <p><em><span data-contrast="auto">If you don’t meet every qualification listed but are excited about our mission and the work described, we encourage you to apply</span><span data-contrast="auto">.&nbsp; Inovalon is most interested in finding the best candidate for the job</span><span data-contrast="auto">,</span><span data-contrast="auto"> and you may be just the right person for this or other roles.</span><span data-ccp-props="{}">&nbsp;</span></em></p> <p><em><span data-contrast="auto">By embracing </span><span data-contrast="auto">inclusion</span><span data-contrast="auto">, </span><span data-contrast="auto">we enhance our work environment and drive business success. Inovalon strives to </span><span data-contrast="auto">provide equal opportunit</span><span data-contrast="auto">ies</span><span data-contrast="auto"> to</span><span data-contrast="auto"> the communities where we operate and to our clients and everyone whom we serve. We endeavor to create a culture of inclusion in which our associates feel empowered to bring their full, authentic selves to work and pursue their professional goals in an equitable setting. We understand that by fostering this type of culture, and welcoming different perspectives, we generate innovation and growth.</span><span data-ccp-props="{}">&nbsp;</span></em></p> <p><em><span data-contrast="auto">Inovalon is proud to be an equal opportunity workplace</span><span data-contrast="auto">. We are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or </span><span data-contrast="auto">v</span><span data-contrast="auto">eteran status. We also consider qualified applicants regardless of criminal histories, consistent with legal requirement.</span><span data-ccp-props="{}">&nbsp;</span></em></p> <p><em><span class="ui-provider bsa bsb bsc bsd bse bsf bsg bsh bsi bsj bsk bsl bsm bsn bso bsp bsq bsr bss bst bsu bsv bsw bsx bsy bsz bta btb btc btd bte btf btg bth bti">To review the legal requirements, including all labor law posters, please visit this <a class="fui-Link ___10kug0w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" href="https://postings.govdocs.com/#/8sZXnFNWk3KYs3F" target="_blank">link</a></span></em></p> <p><em><span class="ui-provider bsa bsb bsc bsd bse bsf bsg bsh bsi bsj bsk bsl bsm bsn bso bsp bsq bsr bss bst bsu bsv bsw bsx bsy bsz bta btb btc btd bte btf btg bth bti">To review the California Consumer Privacy Statement: Disclosures for California Residents, please visit this&nbsp;<a href="https://www.inovalon.com/privacy-policy/">link</a></span></em></p></div>