AppSec & DevSecOps Engineer

It's fun to work in a company where people truly BELIEVE in what they're doing!

We're committed to bringing passion and customer focus to the business.

Public Partnerships LLC supports individuals with disabilities or chronic illnesses and aging adults, to remain in their homes and communities and “self” direct their own long-term home care. Our role as the nation’s largest and most experienced Financial Management Service provider is to assist those eligible Medicaid recipients to choose and pay for their own support workers and services within their state-approved personalized budget. We are appointed by states and managed healthcare organizations to better serve more of their residents and members requiring long-term care and ensure the efficient use of taxpayer funded services.

Our culture attracts and rewards people who are results-oriented and strive to exceed customer expectations. We desire motivated candidates who are excited to join our fast-paced, entrepreneurial environment, and who want to make a difference in helping transform the lives of the consumers we serve. (learn more at www.pplfirst.com).

Job Summary

We are seeking an experienced and proactive Application Security (AppSec) and DevSecOps Engineer to embed security throughout the software development lifecycle and CI/CD pipelines. You will collaborate with development, operations, and security teams to design, implement, and maintain security best practices in our applications and infrastructure. This role ensures our systems are secure by design and compliant with industry standards, including HIPAA, SOC2, OWASP, NIST 800-53, and NIST SSDF.

Duties & Responsibilities:

Secure SDLC Integration

• Integrate security at every phase of the software development lifecycle.

• Collaborate with engineering and product teams in Agile/Scrum environments to prioritize, track, and remediate security issues during sprint cycles.

• Develop and maintain threat models and perform design reviews.

• Lead threat modeling sessions and conduct in-depth security architecture reviews.

• Educate development teams on secure coding practices.

• Contribute to secure backlog grooming and definition of security-related user stories and acceptance criteria.

• Actively support the organization’s secure software development lifecycle (SDLC) initiatives by integrating security controls, processes, and testing into development workflows and CI/CD pipelines.

CI/CD Pipeline Security:

• Integrate security testing tools (SAST, DAST, SCA, IaC scanning) into CI/CD pipelines.

• Automate security checks to ensure continuous compliance and early detection.

• Ensure integration of security scanning outputs into ticketing systems and development workflows for traceable remediation.

Infrastructure & DevSecOps

• Secure containerized environments (Docker, Kubernetes).

• Ensure cloud infrastructure security (AWS/GCP/Azure) using infrastructure-as-code (IaC) tools like Terraform or CloudFormation.

• Implement secrets management, identity and access control, and other cloud-native security features.

Application Security:

• Perform and manage vulnerability assessments, code reviews, and penetration testing.

• Lead application-level penetration testing efforts, both internally and with external vendors.

• Remediate findings by working closely with developers and product teams.

• Facilitate and track remediation activities as part of security sprints.

• Monitor and manage third-party/open-source dependencies for known vulnerabilities.

• Conduct security code reviews using both automated and manual analysis techniques.

Required Skills:

• Hands-on experience with security tools: SAST (e.g., Checkmarx, SonarCloud, Veracode), DAST (e.g., OWASP ZAP, Burp), SCA (e.g., Snyk, WhiteSource), and IaC scanners (e.g., tfsec, Checkov).

• Proficiency in CI/CD tools (Jenkins, GitLab CI/CD, GitHub Actions).

• Experience with scripting and automation (Python, Bash, etc.).

• Solid understanding of OWASP Top 10, secure coding, threat modeling, and secure design principles.

• Familiarity with containers and orchestration tools (Docker, Kubernetes).

• Experience working in regulated environments and ensuring security of applications that handle ePHI or sensitive data.

• Working knowledge of NIST 800-53 (Rev. 5), including AC, AU, SC, and SI control families.

• Familiarity with NIST SSDF principles and their implementation across the SDLC.

Qualifications:

Education:

Bachelor’s degree in Computer Science, Cybersecurity, or related field (or equivalent experience).

3–5+ years of experience in AppSec, DevSecOps, or related roles.

Healthcare industry experience preferred.

Preferred Attributes:

Certifications: OSCP, CISSP, CSSLP, CEH, or similar.

Experience with cloud-native security in Azure, AWS, and GCP.

Hands-on experience with NIST, HIPAA, and SOC 2 application security compliance, including security assessments and control implementation.

Experience leading penetration testing engagements and managing remediation in collaboration with development teams.

Experience with bug bounty programs or working with security researchers.

Experience implementing or supporting a security champions program is a plus.

Working Conditions:

Office and Remote work.

Up to 10% of travel expected.

Compensation & Benefits:

• 401k Retirement Plan

• Medical, Dental and Vision insurance on first day of employment

• Generous Paid Time Off

• Employee Assistance Program and more

Compensation: $120,000-$135,000

The above is intended to describe the general contents and requirements of work being performed by people assigned to this classification. It is not intended to be construed as an exhaustive statement of all duties, responsibilities, or skills of personnel so classified

Public Partnerships is an Equal Opportunity Employer dedicated to celebrating diversity and intentionally creating a culture of inclusion. We believe that we work best when our employees feel empowered and accepted, and that starts by honoring each of our unique life experiences. At PPL, all aspects of employment regarding recruitment, hiring, training, promotion, compensation, benefits, transfers, layoffs, return from layoff, company-sponsored training, education, and social and recreational programs are based on merit, business needs, job requirements, and individual qualifications. We do not discriminate on the basis of race, color, religion or belief, national, social, or ethnic origin, sex, gender identity and/or expression, age, physical, mental, or sensory disability, sexual orientation, marital, civil union, or domestic partnership status, past or present military service, citizenship status, family medical history or genetic information, family or parental status, or any other status protected under federal, state, or local law. PPL will not tolerate discrimination or harassment based on any of these characteristics. PPL believes in health, equality, and prosperity for everyone so we can succeed in changing the ways the public sector, including health, education, technology and human services industries, work.

If you like wild growth and working with happy, enthusiastic over-achievers, you'll enjoy your career with us!