How an Application Security Manager Protects HealthTech from Cyber Threats

After seven years in application security and six years as a software developer specializing in Java, Chris Morgan has built a career at the intersection of code and cybersecurity.

Now leading an AppSec team at a growing HealthTech company, Morgan reports directly to the CISO, managing both technical security processes and the people who make them happen.

“My background in software development gives me an edge in AppSec,” Morgan explains. “Having spent years writing and debugging code, I understand the mindset of developers. It helps me identify vulnerabilities more efficiently and guide my team on how to fix them in a way that works within their workflow.”

The role is multifaceted, blending hands-on technical work with leadership responsibilities. From overseeing vulnerability management to coaching team members, Morgan’s work ensures that the company’s applications—many of which handle sensitive health data—are secure from design to deployment.

Leading Security from Code to Compliance

At the core of Morgan’s responsibilities is the administration of critical security tools, including SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), SCA (Software Composition Analysis), IaC (Infrastructure as Code) security scanners, and API testing tools. These platforms help identify vulnerabilities at different stages of the software development lifecycle, allowing developers to fix issues before they reach production.

“Each tool has its strengths,” Morgan says. “SAST is great for catching security flaws in source code, while DAST helps us find vulnerabilities in running applications. SCA ensures that our open-source dependencies are up-to-date and free of known vulnerabilities, and IaC scanning helps us secure our cloud infrastructure from the ground up.”

Managing these tools involves more than just configuring software. Morgan also oversees relationships with vendors, evaluating new solutions through RFPs (Requests for Proposals) to ensure the team has the tools they need within the allocated budget.

“Vendor management is about finding the right balance between cost, functionality, and ease of use,” Morgan explains. “We need tools that integrate seamlessly with our development pipelines, provide accurate results with minimal false positives, and are intuitive enough for developers to use without extensive training.”

Mentorship, Metrics, and Managing the Team

As a team leader, Morgan’s role extends beyond technical tasks. Assigning work, mentoring team members, and fostering a culture of collaboration and continuous learning are essential to maintaining a high-performing AppSec team.

“Mentorship is a big part of my job,” Morgan says. “I help my team develop both their technical skills and their ability to work effectively with developers and stakeholders. The best security professionals understand not only how to find vulnerabilities but also how to communicate their findings in a way that drives action.”

Tracking performance is equally important. Morgan regularly reports on key performance indicators (KPIs) and other metrics that measure the team’s effectiveness. These reports help demonstrate the value of the AppSec program to the CISO and other executives, ensuring continued support and investment.

“Our KPIs include metrics like the number of vulnerabilities identified and resolved, average time to remediation, and the percentage of applications tested before deployment,” Morgan explains. “But it’s not just about the numbers. We also track qualitative factors like developer engagement and feedback, because security is as much about culture as it is about technology.”

Staying Hands-On in a Leadership Role

Despite the leadership focus, Morgan still enjoys rolling up their sleeves and getting involved in technical work when needed. This includes tasks like threat modeling, which involves identifying potential attack vectors and designing security controls to mitigate them, as well as conducting code reviews to spot vulnerabilities that automated tools might miss.

“Staying hands-on helps me stay connected to the technical side of the work and maintain credibility with my team,” Morgan says. “It also ensures that I can step in and provide guidance when someone is stuck or when we’re dealing with a particularly complex security issue.”

Advice for Aspiring Application Security Professionals

For those looking to break into application security, Morgan offers several pieces of practical advice:

1. Learn to Code First: “Start by learning JavaScript and at least one back-end language like C#, Java, or Go. You don’t need to become a software engineer, but understanding how code works is essential for identifying and fixing vulnerabilities.”
2. Take Advantage of Free Resources: “OWASP (Open Web Application Security Project) offers a wealth of free resources, including the OWASP Cheat Sheet Series. These guides cover different attack vectors, how to spot them in code, and how to implement secure coding practices.”
3. Practice with Hands-On Labs: “Secure Flag, which is free with an OWASP membership, provides interactive coding challenges that simulate real-world vulnerabilities. It’s a great way to practice identifying and fixing security issues in different programming languages.”
4. Build a Strong Foundation in Security Principles: “Understand core concepts like secure coding practices, threat modeling, and vulnerability management. These skills are critical whether you’re reviewing code, configuring security tools, or advising developers.”
5. Develop Soft Skills and Communication: “Technical skills are important, but so is the ability to communicate effectively with developers, executives, and other stakeholders. Learn to explain security concepts in a way that’s clear, concise, and actionable.”
6. Stay Curious and Keep Learning: “Cybersecurity is constantly evolving, so never stop learning. Stay up to date with the latest threats, tools, and best practices, and look for opportunities to apply what you learn in real-world scenarios.”

Looking to the Future

As cybersecurity threats become more sophisticated, Morgan sees the role of application security becoming increasingly important—especially in industries like HealthTech, where the stakes are high and regulatory requirements are strict.

“Protecting sensitive health data requires a proactive approach,” Morgan says. “By integrating security into every stage of the software development lifecycle, we can build applications that are not only functional and user-friendly but also resilient against cyber threats.”

For Morgan, the ultimate goal is to create a culture where security is everyone’s responsibility—empowering developers to write secure code, helping teams understand the importance of cybersecurity, and ensuring that every application the company delivers is built with security in mind.

“In AppSec, success isn’t just about finding vulnerabilities—it’s about preventing them from being introduced in the first place,” Morgan says. “And that starts with building security into everything we do, from the first line of code to the final deployment.”