Lead Application Security Engineer

Job summary

BostonGene is seeking an experienced and collaborative Application Security Engineer (ASE) to help strengthen and advance the organization’s secure software development and application security program within a highly regulated biotechnology environment.

The ASE will work closely with software engineering, cloud engineering, DevOps, data science, platform engineering, infrastructure security, compliance, and research teams to integrate security throughout the Software Development Lifecycle (SDLC). This role supports the protection of sensitive biomedical, genomic, research, clinical, and operational data while enabling innovation and rapid delivery of secure digital platforms.

The ideal candidate combines strong technical application security expertise with excellent communication, leadership, mentoring, and stakeholder engagement skills. This position reports to the Chief Information Security Officer (CISO) or designated security leadership.

Responsibilities

Secure SDLC & Application Security

• Lead and support secure SDLC initiatives across web, API, cloud-native, and enterprise applications.

• Responsible for establishing, maintaining, and supporting SSDLC processes and activities aligned with industry best practices and IEC 81001-5-1.

• Perform and coordinate secure code reviews; architecture security assessments; threat modeling; vulnerability assessments; penetration testing coordination; security design reviews.

• Integrate security controls into CI/CD and DevSecOps pipelines.

• Collaborate with engineering teams to remediate vulnerabilities and improve secure coding practices.

• Develop application security testing strategies aligned with organizational risk management objectives.

Security Testing & Validation

• Conduct and oversee security assessments using SAST (Static Application Security Testing); DAST (Dynamic Application Security Testing); SCA (Software Composition Analysis); API Security Testing; Container and Cloud Security Assessments.

• Evaluate third-party software and open-source dependencies for security risks.

• Support black-box, gray-box, and white-box testing methodologies where appropriate.

• Review security testing results and ensure remediation activities are tracked to completion.

Cloud & Infrastructure Security

• Support secure deployment and configuration practices across cloud platforms such as AWS; Microsoft Azure; Google Cloud Platform (GCP).

• Collaborate with platform and infrastructure teams on container and Kubernetes security initiatives.

Governance, Risk & Compliance

• Support compliance initiatives aligned with applicable standards and frameworks, including NIST SP 800-171; NIST Cybersecurity Framework (CSF); ISO 27001; OWASP ASVS; SOC 2; IEC 81001-5-1; HIPAA/HITECH (where applicable); GDPR and international privacy regulations

• Participate in risk assessments, audits, and security control validation activities.

• Assist in maintaining security documentation, standards, procedures, and policies.

Collaboration & Leadership

• Partner with stakeholders across engineering, research, operations, compliance, and executive leadership.

• Mentor junior security engineers and promote secure engineering best practices.

• Support project planning, estimation, prioritization, and security roadmap activities.

• Prepare dashboards, metrics, and reports for technical and executive audiences.

• Contribute to building a positive, collaborative, and inclusive security culture.

Qualifications

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Engineering, or equivalent practical experience.

• Professional experience in Application Security; DevSecOps; Secure Software Engineering; Security Architecture; Cloud Security.

• Strong understanding of OWASP Top 10; CWE/SANS Top 25; Secure coding principles; Threat modeling methodologies

• Experience with security testing and scanning tools such as Checkmarx / Burp Suite / Veracode / Snyk / Trivy / Fortify / SonarQube or similar enterprise security tools

• Familiarity with modern development frameworks, APIs, microservices, and cloud-native architectures.

• Familiarity with regulated software/medical device environments and security activities supporting PMDA or similar regulatory submissions, including IEC 81001-5-1 and IEC 62304.

• Experience working within Agile/Scrum environments.

• Strong analytical, problem-solving, verbal, and written communication skills.

Preferred Qualifications

• Experience in biotechnology, healthcare, genomics, pharmaceutical, or life sciences industries.

• Knowledge of protecting Genomic data; Research platforms; Clinical systems; Biomedical intellectual property.

• Experience with Kubernetes; Docker; Infrastructure as Code (IaC); CI/CD platforms; Zero Trust architecture.

• Relevant certifications such as CISSP; CSSLP; CEH; GIAC; AWS/Azure/GCP Security Certifications; OSCP; Security+.

Key Competencies

• Secure SDLC Leadership and Application Security Engineering

• Cloud Security and DevSecOps

• Stakeholder Collaboration

• Risk Assessment

• Vulnerability Management

• Secure Architecture

• Mentorship & Team Leadership

• Communication & Executive Reporting

• Compliance & Governance

We offer:

• Full-time position with a permanent contract and flexible working hours, with hybrid work options.

• Competitive salary and comprehensive healthcare insurance.

• Convenient office location in Yerevan (1-minute walk from the metro) with on-site snacks.

• Relocation package for candidates and their immediate family members, including full documentation and bureaucracy support (bank accounts, residence permits, school contacts, etc.).

• Corporate benefits, including English language lessons and gym membership.

• Dynamic and versatile professional environment with a diverse team of bioinformaticians, biologists, physicians, and software developers committed to improving oncological healthcare.

• Careful, structured, and responsible supervision to support professional growth.