Job Description

Headquartered in Dublin, Ohio, Cardinal Health, Inc. (NYSE: CAH) is a global, integrated healthcare services and products company connecting patients, providers, payers, pharmacists and manufacturers for integrated care coordination and better patient management. Backed by nearly 100 years of experience, with more than 50,000 employees in nearly 60 countries, Cardinal Health ranks among the top 20 on the Fortune 500.

Department Overview

The FUSE Commercial Technologies group is focused on building technology solutions for use directly in-patient care environments. Our existing applications support oncology clinics and encompass workflows critical to care such as chemotherapy orders and drug dispensing. We have an interest in proving value-add services and products to our customers, so our product portfolio is ever-changing.

This role exists within Cardinal Healths Fuse software development center. FUSE maintains an unexpected start-up atmosphere within a Fortune 19 company. Our enticing, casual and creative environment is specifically designed to foster the ingenuity of every individual. We know that ideas happen anywhere. At Fuse, the ideas are shared among other great minds, vetted each day and turned into extraordinary healthcare solutions. To learn more about the atmosphere at FUSE please see our launch video.

Job Overview

The Senior Application Security Engineer reports directly to the FUSE Security Officer and will be responsible for day-to-day product security activities in embedding the corporate information security and compliance program within their product portfolio. The individual will be expected to work directly with the development and DevOps teams to ensure the software and systems are built with security in mind and provide proper data protections. They will also assist in maintaining audit and compliance initiatives to ensure that corporate policies, standards, procedures, and audit activities are in alignment with business, IT, and regulatory requirements. Success in the role will be measured by the effectiveness of the implementation of security and compliance directives.

They are viewed as a leader in Information Security as they work with the teams to ensure they understand requirements, secure design, secure implementation, and security testing as they build applications. The individual will also assist in maintaining security and compliance initiatives to ensure that corporate policies, standards, procedures, and audit activities are in alignment with business, IT, and regulatory requirements. Success in the role will be measured by the effectiveness of the implementation of information security and compliance directives.

Job Responsibilities Include

* Responsible for driving the security product roadmap for their portfolio.

* Measures and reports on the security posture of their product portfolio on an ongoing basis.

* Leads and/or participate in business, culture, technical, and practice initiatives that support information security and continuous improvement across the organization.

* Provide professional guidance to the product teams to ensure they are implementing products that align with the defined security policies and standards.

* Assist the technical teams in identifying and remediating security vulnerabilities including explaining to the teams the identified vulnerability, how they would be exploited, and how they are properly defend against

* Responsible for a clear understanding of what a Secure Software Development Lifecycle is and how to enable teams to affectively implement the appropriate controls (Threat Modeling, SAST, DAST, WAF, etc.)

* Ability to conduct application security assessments (penetration tests, code reviews, threat models, infrastructure review, etc.)

* Give guidance including examples for the development teams to design and implement secure patterns

* Combine automated tools with manual testing to identify and validate vulnerabilities

* Regularly monitor the security community for public-facing security issues, as well as to learn new tactics that can be used in testing.

* Assist with third party information security assessments

* Monitor security trends and drive security best practices throughout the organization

* Evaluating, designing, testing, and recommending new or improved controls to keep FUSE current with industry standards and compliance requirements.

* Educating product owners and development teams on data security requirements

Preferred Qualifications

* Advanced work experience as a security engineer, software engineer with security experience or equivalent position

* Strong understanding of cybersecurity and secure application development practices

* Experience with conducting application security assessments (penetration tests, code reviews, threat models, infrastructure review, etc.)

* Strong working understanding of Application Security (common app vulnerabilities as well as remediation and defense strategies)

* Understanding of Identity and Access Management protocols and technologies (FIDO, U2F, Web-Auth, SSO, SAML, OAuth, Federation, etc.)

* Aware of common security vulnerabilities like OWASP Top 10 and Ransomware with the ability to communicate successfully to the business the remediation

* Experience advising and mentoring diverse teams where you do not have direct authority

* Familiarity with security frameworks associated with COBIT, COSO, HIPAA/HITECH, ISO, ITIL, NIST, PCI DSS, SOC and SOX

* Experience utilizing resources like OWASP, CWE Top 20, etc.

* Bachelors Degree in related field, or equivalent work experience leading cybersecurity or information security initiatives.

* Professional certification in the information security space (e.g. CISM, CISSP, CSSLP, GIAC) or other security certification at a similar level is a plus.

Technologies

* Working knowledge in common vulnerabilities and attacks for both commercial applications and infrastructure like (OWASP Top 10, CWE, etc.)

* Proficient understanding in Security domains such as Application Security, Cloud Security, Cryptography, Authentication, Authorization, oAuth, SAML, etc.

* Knowledge of Secure Software Development Lifecycle (SDLC)

* Experience with application security tools such as SAST (Veracode, Checkmarx, HP-Fortify, etc.) and DAST (Burp Suite, ZAP, HP-Fortify, AppSpider, etc.)

* Proficiency in multiple programming languages, expertise in at least one

* Java experience highly preferred

* JavaScript experience highly preferred

* Experience with RESTful web services

* Comfortable working with open-source technologies

* Proficiency in application/platform security