ABOUT WCG: WCG’s clinical solutions are built on a foundation of best-in-class clinical services companies. We deliver transformational solutions that stimulate growth, foster compliance, and maximize efficiency for those performing clinical trials. WCG is proud to serve individuals on the frontlines of science and medicine, and the organizations striving to develop new products and therapies to improve the quality of human health. It is our role to empower them to accelerate advancement, while ensuring the risks of progress never outweigh the value of human life.

WHY WE LOVE WCG: At WCG, our employees are our most valuable asset and as with all our assets, we invest in them with an eye toward future success. We provide each eligible employee with a comprehensive set of benefits designed to protect their personal and financial health and to help them make the most of their future.

• Comprehensive Benefits package - Health, Dental, Vision, Life Disability, 401k with match, and flexible spending accounts
• Employee Assistance Programs and additional work/life resources
• Referral Bonuses and Tuition Reimbursement
• Flexible PTO
• Volunteer Time Off to benefit the community
• Opportunities for career development with on-the-job training, certification assistance and continuing education reimbursement

The expected base salary range for this position is $52,470 to $81,500. This salary range may vary based on the candidate's qualifications, experience, skills, education, and geographic location.

JOB SUMMARY: The Application Security Analyst is part of the Security Operations team and is responsible for ensuring that software applications and cloud infrastructure are designed, developed, and deployed with strong security controls. This role focuses heavily on triaging and analyzing results from automated security scans across application code, cloud infrastructure, and containerized environments — translating findings into actionable remediation guidance for development, engineering, and infrastructure teams.

The analyst will work with a broad set of AppSec and cloud security tooling, including SAST, DAST, SCA, CSPM, and container scanning platforms, and must be comfortable managing high volumes of findings, correlating results across multiple sources, and prioritizing risk-based remediation. They will operate within a broader security operations context, collaborating closely with the SOC, cloud/infrastructure teams, and development organizations.

The analyst must have genuine enthusiasm for secure coding, cloud-native security, and problem solving. They must be able to work independently, provide timely updates, and communicate findings clearly to both technical and non-technical stakeholders.

ESSENTIAL DUTIES/RESPONSIBILITIES: To perform this job successfully, an individual must be able to perform each essential duty and responsibility satisfactorily.  The accountabilities listed below are representative of the knowledge, skills, and/or ability required.

Secure Development Lifecycle (SDLC) Support

• Partner with software engineering and cloud infrastructure teams to confirm security controls are adequate throughout the SDLC, including in cloud-native and containerized pipelines.
• Conduct threat analysis and support review of remediation results for new and existing applications, APIs, and cloud-hosted services.
• Support adherence to secure coding standards, IaC security guidelines, and application security architectural standards as defined by the security program.
• Support security review of Infrastructure as Code (IaC) templates to identify misconfigurations before deployment.

Vulnerability Identification & Management

• Review manual and automated application security assessments, including:
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Software Composition Analysis (SCA)
  • API security testing
  • Container and Kubernetes image scanning
  • Infrastructure as Code (IaC) security scanning
  • Cloud Security Posture Management (CSPM) findings analysis
• Aggregate, deduplicate, and correlate findings across multiple scan sources (SAST, DAST, CSPM, container scans) to build a unified, risk-prioritized view of the organization's application and cloud security posture.
• Analyze results, validate findings, and collaborate with developers and cloud/infrastructure engineers on remediation.
• Track and manage vulnerabilities through their full lifecycle, ensuring timely closure within defined SLAs.

Security Tools & Automation

• Implement, tune, and maintain application security tools within CI/CD pipelines, including integration of SAST, SCA, container scanning, and IaC scanning tools.
• Maintain and optimize CSPM platforms, tuning policies and suppression rules to reduce noise and ensure signal quality.
• Develop automation to streamline security scanning, finding triage, and reporting workflows.
• Evaluate emerging AppSec technologies including AI-assisted code review and security analysis tools (e.g., Snyk DeepCode, Veracode Fix, GitHub Advanced Security), assess their effectiveness, and make adoption recommendations.
• Understand and account for the security implications of AI-generated code, including evaluating AI-introduced vulnerabilities surfaced through scanning results.

Incident Response & Security Support

• Assist in analyzing and responding to application-related security incidents.
• Support penetration testing activities and help interpret and operationalize findings.
• Work with the SOC and threat intelligence teams to contextualize application and cloud vulnerabilities against active threat landscape data.

Governance, Risk & Compliance

• Ensure application and cloud security controls meet regulatory and compliance requirements (e.g., HIPAA, NIST, ISO 27001, SOC 2).
• Support the creation and maintenance of application security documentation, including cloud security baselines and container security standards, as directed by senior security leadership.
• Support internal and external audits related to application and cloud security, including producing evidence from scanning platforms and CSPM tooling.

Training & Awareness

• Support and participate in secure coding and application security training initiatives for development teams.
• Contribute to promoting a security-first culture across engineering, product, and cloud infrastructure organizations.

Other duties as assigned by supervisor. These may, on occasion, be unrelated to the position described here.

EDUCATION REQUIREMENTS: Bachelor's degree in Computer Science, Cybersecurity, Engineering, or related field — or equivalent hands-on experience.

CERTIFICATIONS/LICENSE/REGISTRATION REQUIREMENTS:

• CEH, OSCP, GWAPT, GWEB, CSSLP (preferred)
• AWS Security Specialty, Microsoft SC-100/AZ-500, or equivalent cloud security certifications (preferred)
• Certified Kubernetes Security Specialist (CKS) is a plus

QUALIFICATIONS/EXPERIENCE:

• 2–5 years of experience in application security, cloud security, secure development, or penetration testing.
• Strong understanding of OWASP Top 10, CWE, and common exploit techniques.
• Hands-on experience with AppSec and cloud security tooling, including:
  • SAST/SCA: Veracode, Checkmarx, Fortify, or Snyk
  • DAST: Burp Suite or OWASP ZAP
  • API Testing: Postman or similar
  • Container Scanning: Trivy, Grype, Anchore, or Snyk Container
  • IaC Scanning: Checkov, tfsec, or Semgrep
  • CSPM: Wiz, Prisma Cloud, Orca Security, or Microsoft Defender for Cloud
• Experience working with containerized environments — Docker, Kubernetes, and container image security concepts.
• Familiarity with IaC tools and languages (Terraform or CloudFormation) at a level sufficient to review flagged misconfigurations.
• Familiarity with modern development technologies — REST APIs, cloud-native apps, microservices architectures.
• Ability to read and understand code in one or more languages such as Java, Python, JavaScript, C#, or Go.
• Experience integrating security tools into CI/CD pipelines (GitHub Actions, GitLab CI, Azure DevOps, Jenkins, etc.).
• Demonstrated experience with cloud security across one or more major platforms (AWS, Azure, GCP), including an understanding of cloud-native misconfigurations and their risk implications.
• Strong analytical skills with the ability to correlate and prioritize findings across multiple scan sources and communicate risk clearly to technical and non-technical audiences.

TRAVEL REQUIREMENTS:   

Physical and Sensory Requirements: The physical and sensory requirements described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be offered to individuals with disabilities to assist in performing the essential functions of the position. Work activities involve light to moderate physical effort (for example, sitting in one place for extended periods of time, standing, walking, bending, lifting lightweight objects, intermittent to sustained periods of keyboarding).  Majority of time is spent in a seated position with frequent opportunity to move about at will.  Activities require a variety of easy muscle movements.  Work activities involve a frequent need to concentrate on a variety of sensory inputs for moderate to lengthy durations at a time requiring diligence and attention to interpret effectively.  There will be a need to attend to single or simultaneous tasks where accuracy of details is important.  The need for detailed and precise work is high.