Application Security Analyst (Remote)
General Information
Location: Cary, NC, Remote
Organization: WCG
Job Type: Full Time - Regular
Description and Requirements
ABOUT WCG: WCG's clinical solutions are built on a foundation of best-in-class clinical services companies. We deliver transformational solutions that stimulate growth, foster compliance, and maximize efficiency for those performing clinical trials. WCG is proud to serve individuals on the frontlines of science and medicine, and the organizations striving to develop new products and therapies to improve the quality of human health. It is our role to empower them to accelerate advancement, while ensuring the risks of progress never outweigh the value of human life.
WHY WE LOVE WCG: At WCG, our employees are our most valuable asset and as with all our assets, we invest in them with an eye toward future success. We provide each eligible employee with a comprehensive set of benefits designed to protect their personal and financial health and to help them make the most of their future.
Comprehensive Benefits package - Health, Dental, Vision, Life Disability, 401k with match, and flexible spending accounts
Employee Assistance Programs and additional work/life resources
Referral Bonuses and Tuition Reimbursement
Flexible PTO
Volunteer Time Off to benefit the community
Opportunities for career development with on-the-job training, certification assistance and continuing education reimbursement
The expected base salary range for this position is $52,470 to $81,500. This salary range may vary based on the candidate's qualifications, experience, skills, education, and geographic location.
JOB SUMMARY: TheApplication Security Analyst is part of the Security Operations team and is responsible for ensuring that software applications and cloud infrastructure are designed, developed, and deployed with strong security controls. This role focuses heavily on triaging and analyzing results from automated security scans across application code, cloud infrastructure, and containerized environments - translating findings into actionable remediation guidance for development, engineering, and infrastructure teams.
The analyst will work with a broad set of AppSec and cloud security tooling, including SAST, DAST, SCA, CSPM, and container scanning platforms, and must be comfortable managing high volumes of findings, correlating results across multiple sources, and prioritizing risk-based remediation. They will operate within a broader security operations context, collaborating closely with the SOC, cloud/infrastructure teams, and development organizations.
The analyst must have genuine enthusiasm for secure coding, cloud-native security, and problem solving. They must be able to work independently, provide timely updates, and communicate findings clearly to both technical and non-technical stakeholders.
ESSENTIAL DUTIES/RESPONSIBILITIES: To perform this job successfully, an individual must be able to perform each essential duty and responsibility satisfactorily. The accountabilities listed below are representative of the knowledge, skills, and/or ability required.
Secure Development Lifecycle (SDLC) Support
Partner with software engineering and cloud infrastructure teams to confirm security controls are adequate throughout the SDLC, including in cloud-native and containerized pipelines.
Conduct threat analysis and support review of remediation results for new and existing applications, APIs, and cloud-hosted services.
Support adherence to secure coding standards, IaC security guidelines, and application security architectural standards as defined by the security program.
Support security review of Infrastructure as Code (IaC) templates to identify misconfigurations before deployment.
Vulnerability Identification & Management
Review manual and automated application security assessments, including:
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Software Composition Analysis (SCA)
API security testing
Container and Kubernetes image scanning
Infrastructure as Code (IaC) security scanning
Cloud Security Posture Management (CSPM) findings analysis
Aggregate, deduplicate, and correlate findings across multiple scan sources (SAST, DAST, CSPM, container scans) to build a unified, risk-prioritized view of the organization's application and cloud security posture.
Analyze results, validate findings, and collaborate with developers and cloud/infrastructure engineers on remediation.
Track and manage vulnerabilities through their full lifecycle, ensuring timely closure within defined SLAs.
Security Tools & Automation
Implement, tune, and maintain application security tools within CI/CD pipelines, including integration of SAST, SCA, container scanning, and IaC scanning tools.
Maintain and optimize CSPM platforms, tuning policies and suppression rules to reduce noise and ensure signal quality.
Develop automation to streamline security scanning, finding triage, and reporting workflows.
Evaluate emerging AppSec technologies including AI-assisted code review and security analysis tools (e.g., Snyk DeepCode, Veracode Fix, GitHub Advanced Security), assess their effectiveness, and make adoption recommendations.
Understand and account for the security implications of AI-generated code, including evaluating AI-introduced vulnerabilities surfaced through scanning results.
Incident Response & Security Support
Assist in analyzing and responding to application-related security incidents.
Support penetration testing activities and help interpret and operationalize findings.
Work with the SOC and threat intelligence teams to contextualize application and cloud vulnerabilities against active threat landscape data.
Governance, Risk & Compliance
Ensure application and cloud security controls meet regulatory and compliance requirements (e.g., HIPAA, NIST, ISO 27001, SOC 2).
Support the creation and maintenance of application security documentation, including cloud security baselines and container security standards, as directed by senior security leadership.
Support internal and external audits related to application and cloud security, including producing evidence from scanning platforms and CSPM tooling.
Training & Awareness
Support and participate in secure coding and application security training initiatives for development teams.
Contribute to promoting a security-first culture across engineering, product, and cloud infrastructure organizations.
Other duties as assigned by supervisor. These may, on occasion, be unrelated to the position described here.
EDUCATION REQUIREMENTS: Bachelor's degree in Computer Science, Cybersecurity, Engineering, or related field - or equivalent hands-on experience.
CERTIFICATIONS/LICENSE/REGISTRATION REQUIREMENTS:
CEH, OSCP, GWAPT, GWEB, CSSLP (preferred)
AWS Security Specialty, Microsoft SC-100/AZ-500, or equivalent cloud security certifications (preferred)
Certified Kubernetes Security Specialist (CKS) is a plus
QUALIFICATIONS/EXPERIENCE:
2-5 years of experience in application security, cloud security, secure development, or penetration testing.
Strong understanding of OWASP Top 10, CWE, and common exploit techniques.
Hands-on experience with AppSec and cloud security tooling, including:
SAST/SCA: Veracode, Checkmarx, Fortify, or Snyk
DAST: Burp Suite or OWASP ZAP
API Testing: Postman or similar
Container Scanning: Trivy, Grype, Anchore, or Snyk Container
IaC Scanning: Checkov, tfsec, or Semgrep
CSPM: Wiz, Prisma Cloud, Orca Security, or Microsoft Defender for Cloud
Experience working with containerized environments - Docker, Kubernetes, and container image security concepts.
Familiarity with IaC tools and languages (Terraform or CloudFormation) at a level sufficient to review flagged misconfigurations.
Familiarity with modern development technologies - REST APIs, cloud-native apps, microservices architectures.
Ability to read and understand code in one or more languages such as Java, Python, JavaScript, C#, or Go.
Experience integrating security tools into CI/CD pipelines (GitHub Actions, GitLab CI, Azure DevOps, Jenkins, etc.).
Demonstrated experience with cloud security across one or more major platforms (AWS, Azure, GCP), including an understanding of cloud-native misconfigurations and their risk implications.
Strong analytical skills with the ability to correlate and prioritize findings across multiple scan sources and communicate risk clearly to technical and non-technical audiences.
TRAVEL REQUIREMENTS:
0% - 5%
5% - 10%
10% - 20%
20% - 50%
>50%
Physical and Sensory Requirements: The physical and sensory requirements described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be offered to individuals with disabilities to assist in performing the essential functions of the position. Work activities involve light to moderate physical effort (for example, sitting in one place for extended periods of time, standing, walking, bending, lifting lightweight objects, intermittent to sustained periods of keyboarding). Majority of time is spent in a seated position with frequent opportunity to move about at will. Activities require a variety of easy muscle movements. Work activities involve a frequent need to concentrate on a variety of sensory inputs for moderate to lengthy durations at a time requiring diligence and attention to interpret effectively. There will be a need to attend to single or simultaneous tasks where accuracy of details is important. The need for detailed and precise work is high.
#LI-Remote
WCG is proud to be an equal opportunity employer - Qualified applicants will receive consideration for employment based on merit and without regard to race, color, national origin or ancestry, religion or creed, sex, sexual orientation, gender expression, gender identity, age, marital status, family or parental status, disability, genetic information, citizenship, veteran status, or any other legally recognized basis or status protected by federal, state, or local law. WCG complies with the Vietnam Era Veterans' Readjustment Act and Section 503 of the Rehabilitation Act. We promote a "One WCG" culture where all are welcome, respected, valued, and empowered to make a difference every day to advance clinical research.
