Posted 2 days ago
Secret
Unspecified
Unspecified
IT - Security
(On-Site/Office)
We are hiring an Application Security Tooling Engineer to own and evolve a defense agency's application security scanning ecosystem across the SDLC. This role operates and integrates Sonatype, Fortify, StackRox (Red Hat ACS), and Burp Suite, enabling secure, auditable software delivery in regulated environments.
You'll be hands-on with tooling, embedded in Agile teams using Jira, and trusted to provide tooling recommendations to senior leadership while managing at least one AppSec team member.
Key Responsibilities
AppSec Platform Ownership
DevSecOps & CI/CD Integration
Vulnerability Management & Governance
Container & Kubernetes Security
Reporting, Compliance & Leadership
Required Qualifications
Preferred Qualifications
You'll be hands-on with tooling, embedded in Agile teams using Jira, and trusted to provide tooling recommendations to senior leadership while managing at least one AppSec team member.
Key Responsibilities
AppSec Platform Ownership
- Deploy, configure, harden, and operate Sonatype, Fortify, StackRox, and Burp Suite
- Support on-prem and accredited cloud environments (Oracle Cloud strongly preferred)
- Manage upgrades, plugins, licensing, HA/DR, backups, monitoring, and runbooks
- Establish SLAs/SLOs and operational metrics
DevSecOps & CI/CD Integration
- Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI)
- Implement policy-based gates, risk-based exceptions, and secure-by-default workflows
- Build reusable templates and reference implementations for development teams
Vulnerability Management & Governance
- Define and tune scanning policies, thresholds, and quality gates
- Reduce false positives through tuning and developer feedback loops
- Maintain an auditable vulnerability lifecycle (triage, SLAs, waivers, verification)
Container & Kubernetes Security
- Implement image scanning, runtime detection, admission controls, and policy enforcement
- Integrate with registries and orchestration platforms
- Coordinate incident-ready detections and response playbooks with SOC/IR teams
Reporting, Compliance & Leadership
- Produce dashboards and metrics (trends, MTTR, pipeline pass rates)
- Support RMF / ATO evidence and audit requests
- Manage and mentor at least one AppSec professional
- Provide tooling assessments and recommendations to executive leadership
Required Qualifications
- Active Secret clearance
- 5+ years in application security engineering and/or DevSecOps (regulated environments)
- DoD 8570 IAT II (e.i. Security+)
- Hands-on experience with:
- Sonatype (Nexus IQ/Lifecycle)
- Fortify (SCA/SSC)
- StackRox / Red Hat ACS
- Burp Suite (Pro or Enterprise)
- Strong CI/CD automation and policy gating experience
- Working knowledge of:
- Secure SDLC, OWASP Top 10, SBOMs, dependency risk
- Container/Kubernetes security
- Linux, networking, TLS/certs, SSO/LDAP
- Java, .NET, Node.js, Python build ecosystems
- Oracle Cloud Infrastructure
Preferred Qualifications
- DoD/IC experience (RMF, STIGs, vulnerability management)
- Registry/orchestration tools (Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm)
- SIEM/SOAR and ticketing integrations (Splunk, ServiceNow, Jira)
- Certifications: CISSP, CSSLP, GIAC, Kubernetes security certs
group id: 91082210
N
