Application Security Engineer

About Alan

Alan is building a vertically integrated health partner that unites insurance and smart healthcare delivery into one seamless system. Our vision is to make prevention the new norm of care for all.

Our mission: Help people live in good health to 100 while helping employers feel proud, turning health benefits from a cost centre into their most valuable investment. By connecting all aspects of care (private, public, and direct to consumer) we create the most member‑centric healthcare experience, reducing claims costs while generating new monetization opportunities. We partner with tens of thousands of companies across France, Spain, Belgium, and Canada, serving over a million members.

How we work: our Leadership Principles

• Mission is the Boss — We think long‑term and are methodical optimists who take risks, seeking our mission's success above all else.
• Distributed Ownership — Accountable enlightened despots: everyone owns their decisions and results.
• Radical Transparency — All information is accessible and written‑first, so everyone can make the best decisions asynchronously.
• Always Growing — Direct, positive, and caring feedback, combined with self‑growth ownership.

Engineering Community

In our engineering team, we build the infrastructure, interfaces, and applications to provide first‑class service to our members, health professionals, and even ourselves. Being an engineer at Alan means joining a team of talented, committed, and passionate engineers, with a lot of product interaction. We move fast, with a lot of ownership, and are proud to tackle big problems. We do security as we do everything else — that is, not quite the traditional way, but always in line with our leadership principles. Joining Alan as an Application Security Engineer means you’re at the forefront of protecting sensitive health data and ensuring our systems are resilient against threats.

Application Security Team

Tech Foundations enables product crews and creates the environment to thrive — combining world‑class infrastructure, intuitive developer experience, exquisite operational excellence, and built‑in security to make shipping exceptional products effortless. Application Security is one of its crews. Its mission: build, evolve and operate the foundational security building blocks and secure‑by‑default patterns that make Alan's products safe by design, highly available, and easy to ship, while partnering with product teams and Security Operations to reduce real risk without turning security into a bottleneck.

Scope

• Securing the codebase
  • SAST — Implement, maintain, and continuously improve static analysis tooling integrated into CI/CD pipelines.
  • DAST — Deploy and operate dynamic analysis tooling to surface runtime vulnerabilities before they reach production.
  • Hardcoded secrets — Detect, remediate, and prevent hardcoded secrets across the codebase and pipelines.
  • Vulnerability remediation — Identify, triage, and drive remediation of vulnerabilities in application code and CI/CD configurations.
• Securing the supply chain
  • Dependency vulnerability management — Identify, triage, and drive remediation of vulnerabilities in third‑party dependencies.
  • Dependency & runtime hygiene — Keep dependencies and execution environments up to date, with clear ownership and SLAs.
  • Production traceability & hardening — Harden execution environments and ensure full traceability of code deployed to production.
• Securing the development process
  • Security and privacy by design — Champion security and privacy as first‑class concerns in engineering workflows, code reviews, and architecture decisions.
  • Threat modeling & risk culture — Foster a habit of threat modeling and rapid risk assessments in product teams; elevate security maturity across the entire product and engineering community.
  • Secure SDLC — Embed security checkpoints and guardrails throughout the software development lifecycle.
  • AI‑assisted coding security — Define and enforce security guardrails for AI‑assisted and agentic coding workflows, for both Engineering and non‑Engineering populations.

Focus for 2026

In 2026, we will significantly raise the s