Application Security Analyst 3

McKesson   •  

Scottsdale, AZ

Industry: Healthcare


5 - 7 years

Posted 150 days ago

This job is no longer available.



McKesson is in the business of better health and we touch the lives of patients in virtually every aspect of healthcare. We partner with payors, hospitals, physician offices, pharmacies, pharmaceutical companies and others across the spectrum of care to build healthier organizations that deliver better care to patients in every setting. We believe in the importance of strong, vital organizations because we know that patients can only be healthy when our system is healthy.

Every single McKesson employee contributes to our mission—by joining McKesson you act as a catalyst in a chain of events that helps millions of people all over the globe. Talented, compassionate people are the future of our company—and of healthcare. At McKesson, you’ll collaborate on the products and solutions that help us carry out our mission to improve lives and advance healthcare. Working here is your opportunity to shape an industry that’s vital to us all.

We understand the importance of a system that works together. Your expertise, drive and passion can help us improve everything we touch, from providers to payors to pharmacies. Join our team of leaders to begin a rewarding career. Wherever you contribute here at McKesson, you will have the ability to make a real impact in the lives of others.


Current Need:


The qualified candidate will possess experienceworking within medium to large commercial entities, institutions or enterprises having a central governance model and federated structure of business units, a strong understanding of critical build-in security practices, good vulnerability management reporting and tracking.

To be effective in this role, the candidate seeking our Analyst role must have demonstrate a comprehensive understanding of secure development practices, software security testing, great written and oral communications skills, be highly efficient in the use of security tools used to assess the security quality and risk of software, Microsoft Office productivity tools, Agile methodology and associated SAFe, SCRUM or Kan-Ban methods.

This individual will perform as an individual contributor of a global application security functional service discipline, and program and support of broadening secure development practices globally.

Position Description:

  • Primary responsibility is to perform and ensure service delivery within prescribed service level objectives by working closely with managers, analysts and designated representatives across enterprise technology services, business unit technology and risk functions
  • Perform and facilitate security remediation priorities of software weaknesses and vulnerabilities identified in software components of McKesson-branded applications and products; and in components comprised of commercial and open-source software
  • Execute internal client initiatives and program-driven taskings on time and within budget allocations while completing deliverables and meeting performance parameters
  • Serve as an escalation point of contact for individual contributors, manager peer group across the enterprise and internal clients to ensure processes effectively address challenges and promote best practices that proactively resolve issues
  • Prepare monthly or as required detailed, high caliber security quality and risk documentation that can be easily consumed by mixed audiences of technologists/non-technologists, risk management teams and business leaders
  • Identify opportunities that continuously streamline and/or enhance built-in security practices and report business risks related to software technologies used by McKesson
  • Participate in and help produce reports as required for oversight activities by outside regulators, internal auditors and other governance functions as appropriate
  • Contribute to the internal body of knowledge of Application Security & Software Assurance distilled from industry standards and commonly accepted governance communities
  • Support and contribute to the ongoing maintenance and tooling of the technology capabilities and systems used by Global Application Security & Software Assurance




Minimum Requirements:

4+ years’ experience in administering security controls in an organization


Critical Skills:

  • Excellent working knowledge of industry standards and guidance such as SEI/CMU, SAFECODE; NIST 800-53; 800-64; MITRE - Common Weakness Risk Framework, and Vulnerability Enumeration; ISO/IEC 27034, CERT - Secure Coding Standards, OWASP Secure Coding Practices
  • Demonstrate working knowledge of Threat Modeling and tools (e.g. Microsoft SDL, STRIDE, PASTA, etc.)
  • In-depth understanding of software development lifecycles; embedding application security practices into Agile CI/CD workstreams and non-functional software security requirements
  • Demonstrate technical understanding and knowledge of cloud, mobile and web software technologies comprised in large enterprise and commercial IT environments – to include customized ERP, Supply Chain, Financial/HR, Sales / Marketing operations, Big data infrastructure services for enterprises; complex authentication and access control services for multi-tenant business systems
  • Demonstrate broad knowledge / understanding of inherent strengths and weaknesses of .NET, JAVA, C#, Objective-C language technologies, commonly used scriptinglanguages, PaaS/SaaS cloud services leveraged to deliver McKesson-branded market solutions and enterprise applications

Additional Knowledge & Skills:

  • Excellent oral/written communications to effectively communicate, report and present activities and findings in a software assurance and business risk context
  • Effective organization, time management and process improvement abilities
  • 1 year+ experience in application security lifecycle management
  • 2 years+ administration and code review experience with any of the following: Veracode SAST/DAST/SCA, Coverity SCA, Synopsys SCA, HP Fortify or Fortify On-Demand, Rapid7, IBM AppScan, Checkmark, Black Duck, Protecode Analysis solutions; and to include application penetration testing
  • Working knowledge of any of the following - CVS, HP Quality Center, Jira, Team Foundation Services Development Lifecycle tools
  • Commercial software development and/or quality assurance testing experience


4-yeardegree in computer science or related field or equivalent experience


Any of the following are preferred: CSSLP, GSSP-.NET; GSSA-JAVA; GWEB, GWAPT, CISA


Physical Requirements:
General Office Demands