Application Security Tooling Administrator

We are hiring an Application Security Tooling Administrator to operate and continuously improve a defense agency's AppSec scanning ecosystem across the SDLC. This role is hands-on with Sonatype, Fortify, StackRox (Red Hat ACS), and Burp Suite, ensuring scalable, auditable security controls in regulated environments.

This position focuses on tool administration, integration, and operational excellence, embedded within Agile teams using Jira.

Key Responsibilities

AppSec Tool Operations

• Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp Suite
• Support on-prem and accredited cloud environments (Oracle Cloud experience strongly preferred)
• Manage upgrades, plugins, licensing, capacity planning, backups, HA/DR
• Establish SLAs/SLOs, monitoring, alerting, and operational runbooks

CI/CD & DevSecOps Integration

• Integrate AppSec tools into CI/CD pipelines (e.g., Jenkins, GitLab CI)
• Implement policy-based gates, risk-based exceptions, and standardized scan workflows
• Build reusable templates and reference configurations for development teams

Vulnerability Management & Governance

• Define and tune scanning policies, thresholds, and quality gates
• Reduce false positives through tuning and developer feedback
• Maintain an auditable vulnerability workflow (triage, remediation SLAs, waivers)

Container & Kubernetes Security

• Implement image scanning, runtime detections, admission controls, and policy enforcement
• Integrate with registries and orchestration platforms
• Support incident-ready detections and response playbooks with SOC/IR teams

Reporting, Compliance & Agile Support

• Produce dashboards and metrics (trends, MTTR, pipeline pass rates)
• Support RMF / ATO evidence and audit activities
• Participate in Agile delivery, with hands-on Jira usage for tracking and documentation

Required Qualifications

• Active Secret clearance
• DoD 8570 IAT II (e.i. Security+)
• 3+ years of application security engineering and/or DevSecOps experience in regulated environments
• Hands-on administration and CI/CD integration experience with:
• Sonatype (Nexus IQ / Lifecycle)
• Fortify (SCA / SSC)
• StackRox / Red Hat Advanced Cluster Security
• Burp Suite (Professional or Enterprise preferred)
• Strong CI/CD automation and policy-gating experience
• Working knowledge of:
• Secure SDLC, OWASP Top 10, SBOMs, dependency risk
• Container and Kubernetes security
• Linux, networking, TLS/certs, SSO/LDAP
• Java, .NET, Node.js, and Python build ecosystems
• Oracle Cloud Infrastructure

Preferred Qualifications

• DoD/IC experience (RMF, STIGs, vulnerability management)
• Registry and orchestration tools (Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm)
• SIEM/SOAR and ticketing integrations (Splunk, ServiceNow, Jira)
• Certifications: Security+, CISSP, CSSLP, GIAC, Kubernetes security certs