Application Security Engineer and Security Architect

About xCures:

xCures is redefining how healthcare organizations access, trust, and act on patient data. Our mission is to ensure that critical patient information is available when, where, and how it’s needed most — helping care providers and partners make faster, better-informed decisions that improve health outcomes.

Our AI-powered software platform aggregates, structures, normalizes, and distills patient health data from care encounters nationwide. Within minutes, xCures delivers validated, traceable, and clinically actionable insights, addressing healthcare’s most persistent challenges: missing data, messy data, and opaque insights. Our driving purpose is to equip our partners, such that they are enabled to provide care and services in a form that inspires confidence and provides real clinical utility.

At xCures, quality and trust are not features — they’re foundational to the tools we’ve built. Our work is driven by precision, performance, and purpose. xCures is excited to champion responsible interoperability and the transformative potential of AI in healthcare, when done with the right values at the front of mind.

About the role

This is a hands-on role designed for a security professional who wants to grow into additional security architecture responsibilities while remaining deeply involved in application security. You will work closely with Engineering, DevOps, Data Science, Product, and GRC to secure APIs, infrastructure-as-code, cloud workloads, and healthcare data systems aligned with HITRUST, HIPAA, ISO 27001, and GDPR requirements.

You will focus primarily on strengthening application security practices while gradually expanding your influence on secure design patterns and architectural decisions as you grow in the role.

Responsibilities

Application Security (Primary Focus)

• Perform secure code reviews across backend, frontend, API, and infrastructure-as-code components.
• Participate in and help facilitate threat modeling sessions for new features and system changes.
• Identify, validate, and support remediation of vulnerabilities discovered via SAST, DAST, SCA, container, and IaC scanning tools.
• Work directly with engineers to prioritize and remediate findings in a pragmatic, risk-based manner.
• Help maintain secure coding standards and developer security guidance.
• Track vulnerability remediation metrics and contribute to improving remediation velocity.

Infrastructure as Code & Cloud Security

• Review Infrastructure as Code (Terraform, CloudFormation, or similar) for security risks.
• Support implementation of policy-as-code guardrails and cloud security posture improvements.
• Help enforce least-privilege IAM and secure configuration baselines.
• Support encryption, secrets management, and secure configuration efforts across cloud environments.
• Assist in securing APIs, authentication/authorization flows, and third-party integrations.

DevSecOps & Tooling

• Integrate and tune security tools within CI/CD pipelines (GitHub-based workflows).
• Support dependency scanning, container scanning, and IaC scanning automation.
• Utilize observability tools such as Datadog to improve logging, alerting, and detection visibility.
• Contribute to dashboards and reporting that measure application security posture.

Third-Party Penetration Testing

• Coordinate and support third-party application and API penetration tests.
• Assist in scoping, validating, and triaging findings.
• Track remediation of external assessment findings through closure.
• Incorporate lessons learned into development practices to reduce repeat findings.

Compliance & Architecture Growth

• Translate regulatory requirements (HITRUST, HIPAA, ISO 27001, GDPR, SOC 2, NIST) into practical technical controls.
• Support audit evidence collection from a technical perspective.
• Gradually contribute to secure reference architectures and design standards.
• Participate in architecture discussions to ensure security considerations are embedded early.

Continuous Improvement

• Stay current on emerging vulnerabilities (OWASP Top 10, CVEs, supply chain risks).
• Contribute to improving the maturity and scalability of the application security program.
• Support application-layer investigations and remediation efforts when needed.

Basic Qualifications

• 3–5 years of experience in application security, DevSecOps, product security, or software engineering with a strong security focus.
• Hands-on experience with secure code review, threat modeling fundamentals, CI/CD security integration, and security scanning tools.
• Familiarity with Infrastructure as Code (Terraform, CloudFormation, or similar).
• Experience working in GitHub-based development environments.
• Familiarity with monitoring and observability tools such as Datadog.
• Experience participating in or coordinating third-party application penetration testing.
• Experience working in cloud-native SaaS environments (AWS, Azure, or GCP).
• Understanding of security frameworks such as HITRUST, HIPAA, ISO 27001, GDPR, SOC 2, or NIST.
• Strong analytical, documentation, and communication skills.
• Must reside in the United States.
• Must have authorization to work in the United States.

Preferred Qualifications

• Experience in healthcare, digital health, or regulated SaaS environments handling PHI.
• Experience supporting HITRUST certification efforts.
• Experience securing APIs and authentication/authorization mechanisms.
• Familiarity with Kubernetes security.
• Exposure to AI/ML data pipeline security.
• Experience writing automation scripts (Python, Bash, or similar).
• Demonstrated interest in developing broader security architecture expertise.

Relevant Certifications (Preferred)

• Security+
• CISSP (Associate acceptable)
• CCSP
• CISM
• AWS Security Specialty or equivalent
• HITRUST CCSFP

SABSA Foundation (Security Architecture certification)

To apply, please send your cover letter and resume to infosec-jobs@xcures.com

Comp & Benefits

• Salary Range : 100K to 180K Annual
• Medical, Dental, Vision insurance
• 401k

xCures acknowledges that equal opportunity for all persons is a fundamental human value. Each employee and applicant will be considered on the basis of individual ability and merit, without regard to race, color, religion, age, sex, sexual orientation, gender identity, gender expression, pregnancy, national origin, marital status, physical disability, mental disability, medical condition, genetic information, protected military or veteran status, or any other characteristics.