IT Application Security Analyst

The IT Application Security Analyst plays a key role in embedding security by design across the enterprise software development lifecycle (SDLC). This position partners closely with development, DevOps, QA, and IT Operations teams to integrate secure development frameworks, tooling, and practices that strengthen the security, resilience, and compliance of STG’s applications and platforms.

The role focuses on advancing application security maturity by aligning development practices with industry standards such as NIST SSDF and OWASP ASVS, while enabling teams to deliver software securely and efficiently.

• Assess and continuously improve SDLC processes, tools, and release workflows from a security perspective. 
• Perform gap analyses against secure‑development frameworks including NIST SSDF and OWASP ASVS. 
• Define, maintain, and evolve secure development standards and procedures aligned with regulatory requirements such as PCI DSS and CCPA/GDPR. 
• Partner with engineering teams to recommend and implement practical security improvements across the SDLC. 

• Embed security controls across all SDLC phases, including planning, design, coding, testing, deployment, and maintenance. 
• Deliver threat modeling, secure‑design guidance, and application architecture reviews. 
• Establish and support secure design and code‑review practices, coaching developers on security best practices. 
• Balance security requirements with developer experience and business requirements to reduce friction while increasing security maturity. 

• Implement, operate, and optimize application security tooling including SAST, DAST, and SCA solutions. 
• Integrate security tooling (e.g., Snyk, Checkmarx) into CI/CD pipelines to enable automated vulnerability detection. 
• Define and enforce security gates or holds at key points within development and release workflows. 
• Ensure vulnerability findings are actionable, prioritized, and integrated into remediation processes. 

• Support static, dynamic, and penetration testing activities in partnership with internal and external resources.
• Integrate vulnerability management, continuous monitoring, and remediation tracking into the SDLC.
• Provide application‑security support during security incidents and assist teams with investigation and remediation. 

• Support secure platform and environment modernization efforts, including container security, OS hardening, and secrets management (e.g., Vault, Azure Key Vault). 
• Contribute to application and platform architecture improvements focused on security, stability, and resilience. 

 

• 3+ years of experience in Application Security or Software Engineering with a focus on secure development practices. 
• Hands‑on experience implementing secure SDLC frameworks such as NIST SSDF and OWASP ASVS. 
• Practical experience integrating SAST/DAST tools into CI/CD pipelines and workflows. 
• Working knowledge of PCI DSS and privacy regulations (CCPA/GDPR) as they impact software development. 
• Strong communication skills with the ability to influence and collaborate with engineering teams. 

 

• Experience with container security, image hardening, and secrets management technologies. 
• Familiarity with the OWASP Top 10, API security, and modern application security practices. 
• Experience coordinating or supporting penetration testing or DAST programs. 
• Relevant certifications such as CSSLP, CISSP, GWAPT, GCSA, or similar.

 

As a colleague at Scandinavian Tobacco Group, you will receive a comprehensive compensation package as a generous benefits package.

•             Comprehensive Health Care, Vision & Dental Plan

•             Flexible Spending Account

•             Disability Plans

•             Basic & Supplemental Life Insurance

•             Additional Supplemental Benefits

•             Paid Vacation, Paid Time Off (PTO) days, Holidays

•             401(k) Retirement Saving Plan including a generous Company match

Our company uses E-Verify to confirm the employment eligibility of all newly hired employees.  To learn more about E-Verify, including your rights and responsibilities, please visit www.e-verify.gov.

 

*Please be informed that this Direct Search is conducted exclusively by the Scandinavian Tobacco Group. We do not accept applications from agencies, and we will not provide compensation for unsolicited CVs.

 

**This position does not offer Visa sponsorship. Candidates must have valid work authorization in the United States and only qualified candidates will be contacted.