Application Security Engineer

Application Security Engineer (London or Bristol)

We are HealthHero, Europe’s largest digital clinic. Join us at a pivotal moment as we scale our digital healthcare platform across Europe — giving you the chance to shape security at the heart of a fast-growing, AI-driven business. We are recruiting an exciting Application Security Engineer on an initial 12 month fixed term contract, with a view to becoming permanent – based in either our London or Bristol office two days per week.

About the role

You will own security across the software development lifecycle, embedding automated security testing into CI/CD pipelines and enabling development teams to ship secure code quickly. This role works closely with UK and France engineering teams.

As an experienced Application Security Engineer, your working day will include but not be limited to:

DevSecOps & Pipeline Security

Implement and maintain security testing in GitLab CI pipelines

Configure and tune SAST, DAST, dependency scanning, and secrets detection

Build automated security gates that balance rigour with delivery velocity

Enable self-serve security tooling for development teams

Contribute code and patches to security tooling and configurations

Secure Development

Define and enforce secure coding standards

Conduct security-focused code reviews and threat modelling for new features

Provide remediation guidance for application vulnerabilities

Train and support developers on secure coding practices

Vulnerability Management

Triage, patch and track application vulnerabilities through to remediation

Manage dependency vulnerabilities and upgrade cycles

Report on application security posture to senior leadership

Risk & Compliance

Embed GDPR and healthcare regulatory requirements into development processes

Support DCB0129 clinical safety compliance for software changes

Support customer security due diligence and audits

Support ISO27001:2022 ISMS controls and audit process

Key Skills and Experience

Essential

3+ years in application security, DevSecOps, and secure software development

Hands-on experience with CI/CD security integration (GitLab CI or similar)

Familiarity with SAST/DAST tooling and dependency scanning

Understanding of common vulnerabilities (OWASP Top 10) and remediation

Previous experience working as a back end or full stack developer

Knowledge of GDPR and data protection legislation

Strong communicator; able to translate security requirements for developers

Desirable

Development background with security focus

Familiarity with SIEM platforms (Snowbit, Splunk, Sentinel)

Experience with CSPM tooling (Wiz, Prisma Cloud, or similar)

Penetration testing or bug bounty experience

Experience in regulated environments (healthcare, financial services)

Familiarity with threat modelling frameworks (STRIDE, PASTA)