Cardinal Health
Application Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Cardinal Health
Cardinal Health, Inc. is a global healthcare services and products company based in Dublin, Ohio. Founded in 1971, it initially operated as a food wholesaler before transitioning to pharmaceutical distribution in the late 1970s. The company has grown significantly through strategic acquisitions, expanding its reach in pharmaceuticals and medical products. It went public in 1983 and officially adopted the name Cardinal Health in 1994. The company operates in two main segments: Pharmaceutical and Medical. The Pharmaceutical segment focuses on the distribution of branded, generic, and specialty pharmaceuticals, as well as nuclear pharmacy services. The Medical segment includes the manufacturing and distribution of medical and surgical products, laboratory products, and patient recovery solutions. Cardinal Health also offers supply chain solutions and performance analytics to enhance healthcare operations. With approximately 46,500 to 48,000 employees, Cardinal Health serves a diverse network of hospitals, healthcare systems, pharmacies, and laboratories across the U.S. and internationally.
Security at Cardinal Health
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Cardinal Health's AppSec mission is dedicated to Application Security, balancing security with software delivery by building custom tooling to enable software teams. Their risk philosophy incorporates SDLC and DevSecOps concepts like CI/CD and the OWASP Top 10. Stated goals include supporting the implementation and configuration of application security tools, ingesting application logs into SIEM, and experience in Veracode is a plus. An explicit written AppSec mission statement beyond job posting language is not publicly available.”
Security Team
Cardinal Health has a newly created, dedicated Application Security team. Brian Waeltz is the Senior Vice President, Chief Information Security Officer, though a direct quote from him on AppSec is not publicly available and his profile is dated. The team size is not publicly available. As of, there is 1 active AppSec job posting for an Application Security Engineer. Common skills and tools mentioned in job postings include SDLC and DevSecOps concepts like CI/CD, static or dynamic code scanning, common application security controls including WAF, and container technologies like Docker and Kubernetes. An explicit org chart or reporting line to CISO/CTO in a quoted corporate source is not publicly available.
Key Initiatives
There is no public evidence of a Security Champions Program. Cardinal Health practices 'Shift Left' through SDLC and DevSecOps concepts like CI/CD and building custom tooling to enable software teams. Their vulnerability management process includes Coordinated Vulnerability Disclosure (CVD) with an email for reporting issues (GMB-MedicalDeviceSecurity@cardinalhealth.com) and a request to notify them as soon as possible. Triage and remediation involve assisting the Incident Response team on application security investigations. Information on SLAs, MTTR, or ticketing ownership is not publicly available. Secure SDLC artifacts include static or dynamic code scanning and remediations, and SDLC and DevSecOps concepts such as CI/CD. Recent initiatives (last 6 months) include the creation/expansion of a dedicated Application Security team (job posting dated) and the use of F5 BIG-IP Advanced WAF, which increased observability of inbound web traffic and reduced malicious traffic by 40%. Public internal roadmaps, formal security champion program details, and concrete remediation SLA metrics are not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.