IT Application Security Analyst

ABOUT THE ROLE

… The IT Application Security Analyst plays a key role in embedding security by design across the enterprise software development lifecycle (SDLC). This position partners closely with development, DevOps, QA, and IT Operations teams to integrate secure development frameworks, tooling, and practices that strengthen the security, resilience, and compliance of STG's applications and platforms. The role focuses on advancing application security maturity by aligning development practices with industry standards such as NIST SSDF and OWASP ASVS, while enabling teams to deliver software securely and efficiently.

WHAT WILL YOU BE RESPONSIBLE FOR?

Secure SDLC & Governance Assess and continuously improve SDLC processes, tools, and release workflows from a security perspective. Perform gap analyses against secure‑development frameworks including NIST SSDF and

OWASP ASVS.

Define, maintain, and evolve secure development standards and procedures aligned with regulatory requirements such as PCI DSS and

CCPA/GDPR.

Partner with engineering teams to recommend and implement practical security improvements across the SDLC. Application Security Enablement Embed security controls across all SDLC phases, including planning, design, coding, testing, deployment, and maintenance. Deliver threat modeling, secure‑design guidance, and application architecture reviews. Establish and support secure design and code‑review practices, coaching developers on security best practices. Balance security requirements with developer experience and business requirements to reduce friction while increasing security maturity. AppSec Tooling & Automation Implement, operate, and optimize application security tooling including SAST, DAST, and SCA solutions. Integrate security tooling (e.g., Snyk, Checkmarx) into CI/CD pipelines to enable automated vulnerability detection. Define and enforce security gates or holds at key points within development and release workflows. Ensure vulnerability findings are actionable, prioritized, and integrated into remediation processes. Testing, Monitoring & Vulnerability Management Support static, dynamic, and penetration testing activities in partnership with internal and external resources. Integrate vulnerability management, continuous monitoring, and remediation tracking into the SDLC. Provide application‑security support during security incidents and assist teams with investigation and remediation. Platform & Architecture Security Support secure platform and environment modernization efforts, including container security, OS hardening, and secrets management (e.g., Vault, Azure Key Vault). Contribute to application and platform architecture improvements focused on security, stability, and resilience.

REQUIREMENTS

3+ years of experience in Application Security or Software Engineering with a focus on secure development practices. Hands‑on experience implementing secure SDLC frameworks such as NIST SSDF and

OWASP ASVS.

Practical experience integrating

SAST/DAST

tools into CI/CD pipelines and workflows. Working knowledge of PCI DSS and privacy regulations (CCPA/GDPR) as they impact software development. Strong communication skills with the ability to influence and collaborate with engineering teams.

PREFERRED QUALIFICATIONS

Experience with container security, image hardening, and secrets management technologies. Familiarity with the OWASP Top 10, API security, and modern application security practices. Experience coordinating or supporting penetration testing or DAST programs. Relevant certifications such as CSSLP, CISSP, GWAPT, GCSA, or similar.

WHAT'S IN AN OFFER?

As a colleague at Scandinavian Tobacco Group, you will receive a comprehensive compensation package as a generous benefits package.

• Comprehensive Health Care, Vision & Dental Plan
• Flexible Spending Account
• Disability Plans
• Basic & Supplemental Life Insurance
• Additional Supplemental Benefits
• Paid Vacation, Paid Time Off (PTO) days, Holidays
• 401(k) Retirement Saving Plan including a generous Company match Our company uses E-Verify to confirm the employment eligibility of all newly hired employees. To learn more about E-Verify, including your rights and responsibilities, please visit www.e-verify.gov.
• Please be informed that this Direct Search is conducted exclusively by the Scandinavian Tobacco Group. We do not accept applications from agencies, and we will not provide compensation for unsolicited CVs.
• This position does not offer Visa sponsorship.

Candidates must have valid work authorization in the United States and only qualified candidates will be contacted.