Application Security Engineer

Application Security Engineer (London or Bristol)

We are Health Hero, Europe's largest digital clinic. Join us at a pivotal moment as we scale our digital healthcare platform across Europe - giving you the chance to shape security at the heart of a fast-growing, AI-driven business. We are recruiting an exciting Application Security Engineer on an initial 12-month fixed-term contract, with a view to becoming permanent - based in either our London or Bristol office two days per week.

You will own security across the software development lifecycle, embedding automated security testing into CI/CD pipelines and enabling development teams to ship secure code quickly. This role works closely with UK and France engineering teams.

• Implement and maintain security testing in Git Lab CI pipelines
• Configure and tune SAST, DAST, dependency scanning, and secrets detection
• Build automated security gates that balance rigour with delivery velocity
• Enable self-serve security tooling for development teams
• Contribute code and patches to security tooling and configurations

• Define and enforce secure coding standards
• Conduct security-focused code reviews and threat modelling for new features
• Provide remediation guidance for application vulnerabilities
• Train and support developers on secure coding practices

• Triage, patch and track application vulnerabilities through to remediation
• Manage dependency vulnerabilities and upgrade cycles
• Report on application security posture to senior leadership

• Embed GDPR and healthcare regulatory requirements into development processes
• Support DCB
  0129 clinical safety compliance for software changes
• Support customer security due diligence and audits
• Support ISO
  27001:2022 ISMS controls and audit process

• 3+ years in application security, Dev Sec Ops , and secure software development
• Hands‑on experience with CI/CD security integration (Git Lab CI or similar)
• Familiarity with SAST/DAST tooling and dependency scanning
• Understanding of common vulnerabilities (OWASP Top 10) and remediation
• Previous experience working as a back-end or full stack developer
• Knowledge of GDPR and data protection legislation
• Strong communicator; able to translate security requirements for developers

• Development background with security focus
• Familiarity with SIEM platforms (Snowbit, Splunk, Sentinel)
• Experience with CSPM tooling (Wiz, Prisma Cloud, or similar)
• Penetration testing or bug bounty experience
• Experience in regulated environments (healthcare, financial services)
• Familiarity with threat modelling frameworks (STRIDE, PASTA)

• A full induction training programme, which will be undertaken via Microsoft Teams.
• An opportunity to work as part of an experienced team who are passionate in their field, supportive, diverse and dynamic.
• 25 days leave.
• Bank Holidays and your birthday off as leave.
• Regular 1-2-1s with your line Manager.
• 24/7 on-call staff support.
• Auto-enrolment pension scheme.
• Health Scheme and access to our Employee Assistance Programme.
• Life Insurance Scheme.

If you are interested in making a difference and believe this role is a good fit for you, we would love to hear from you.

Hybrid: London or Bristol (There is a requirement to work in the office for a minimum of two days per week)

Closing date for applications: Friday 29 May (5pm)

Additional information: We reserve the right to close this job in the event we receive a sufficient number of applications. Please note that we are unfortunately unable to offer a sponsor licence to candidates who require sponsorship from their employer.