Application Security Engineer – Tech Foundations

You. Better. With Alan. Alan is building a vertically integrated health partner that unites insurance and smart healthcare delivery into one seamless system. Our vision is to make prevention the new norm of care for all. Our mission: Help people live in good health to 100 while helping employers feel proud, turning health benefits from a cost centre into their most valuable investment. By connecting all aspects of care (private, public, and direct to consumer) we create the most member-centric healthcare experience, reducing claims costs while generating new monetization opportunities. We partner with tens of thousands of companies across France , Spain , Belgium , and Canada , serving over a million members. How we work: our Leadership Principles Mission is the Boss — We think long-term and are methodical optimists who take risks, seeking our mission's success above all else. Distributed Ownership — Accountable enlightened despots: everyone owns their decisions and results. Radical Transparency — All information is accessible and written-first, so everyone can make the best decisions asynchronously. Always Growing — Direct, positive, and caring feedback, combined with self-growth ownership. ⭐ The Engineering community ⭐ In our engineering team, we build the infrastructure, interfaces, and applications to provide first-class service to our members, health professionals, and even ourselves! Being an engineer at Alan means joining a team of talented, committed and passionate engineers, with a lot of product interaction. We move fast, with a lot of ownership, and are proud to tackle big problems! We do security as we do everything else — that is, not quite the traditional way, but always in line with our leadership principles. Joining Alan as a Application Security Engineer team means you're at the forefront of protecting sensitive health data and ensuring our systems are resilient against threats. Want to know more? Read this article on our Engineering career path. The Application Security team Mission Tech Foundations enables product crews and creates the environment to thrive - combining world-class infrastructure, intuitive developer experience, exquisite operational excellence, and built-in security to make shipping exceptional products effortless. Application Security is one of its crews. Its mission: build, evolve and operate the foundational security building blocks and secure-by-default patterns that make Alan's products safe by design, highly available, and easy to ship, while partnering with product teams and Security Operations to reduce real risk without turning security into a bottleneck. Scope Securing the codebase SAST - Implement, maintain, and continuously improve static analysis tooling integrated into CI/CD pipelines. DAST - Deploy and operate dynamic analysis tooling to surface runtime vulnerabilities before they reach production. Hardcoded secrets - Detect, remediate, and prevent hardcoded secrets across the codebase and pipelines. Vulnerability remediation - Identify, triage, and drive remediation of vulnerabilities in application code and CI/CD configurations. Securing the supply chain Dependency vulnerability management - Identify, triage, and drive remediation of vulnerabilities in third-party dependencies. Dependency & runtime hygiene - Keep dependencies and execution environments up to date, with clear ownership and SLAs. Production traceability & hardening - Harden execution environments and ensure full traceability of code deployed to production. Securing the development process Security and privacy by design - Champion security and privacy as first-class concerns in engineering workflows, code reviews, and architecture decisions. Threat modeling & risk culture - Foster a habit of threat modeling and rapid risk assessments in product teams; elevate security maturity across the entire product and engineering community. Secure SDLC - Embed security checkpoints and guardrails throughout the software development lifecycle. AI-assisted coding security - Define and enforce security guardrails for AI-assisted and agentic coding workflows, for both Engineering and non-Engineering populations. Focus for 2026: In 2026, we will significantly raise the security bar across our engineering practices. We will build and deploy a comprehensive security scanning suite in our CI/CD pipelines, establish systematic dependency vulnerability management, and run our first fully internalized pentest cycle. We are also at a critical inflection point with AI-assisted development: as vibe coding and agentic workflows become the norm across Engineering and beyond, we need dedicated effort to define the guardrails that keep us secure without slowing us down. At Alan, everyone can build - and as that becomes a reality, security must scale with it. Experience we value 3+ years in application security, DevSecOps, or security engineering roles Experience building or operating security tooling (SAST, DAST, dependency scanners, secrets detection) Ability to script and automate (Python, Bash, or equivalent) - code is your common language with Engineering You love turning security findings into systemic fixes, not just one-off patches Mindset we value You treat security as an enabler : your role is to enable developers, your customers, by making the secure route the most straightforward one. You're pragmatic : you prioritize findings by real risk, looking at impact on our members and our business; you drive fixes to closure, you don’t stop at the ticket queue. You're hands-on : you write scripts, integrate tooling, and get things done. You build systems : guardrails, policies, and automation that scale beyond your own effort. You're fluent in English (French is a bonus). For this opportunity, we are aiming to hire within the C1 - E level range. But above all, we are looking for high potential and curiosity: make sure to show us this when you apply! Everything else is a bonus.