Posted today
Secret
$140,000 - $150,000
Unspecified
IT - Security
Remote/Hybrid• (Off-Site/Hybrid)
Application Security Tooling Engineer
| Full-Time | Remote | Secret Clearance
We are seeking an Application Security Tooling Engineer to design, operate, and continuously improve the a defense agency's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). This position will run and integrate software composition analysis (SCA) with Sonatype, static application security testing (SAST) with Fortify, container/Kubernetes security with Red Hat Advanced Cluster Security (StackRox), and dynamic application security testing (DAST) with Burp Suite-ensuring scalable, auditable, mission-ready security controls in regulated environments. The ideal candidate is comfortable performing tool assessments and recommendations to Senior Executive leaders (in commercial/Federal) to potentially reduce tools, but is comfortable operating all tools listed.
Key Responsibilities
• Platform ownership & operations
o Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp in on-prem and/or accredited cloud environments. The strongest candidates possess Oracle Cloud experience/certifications.
o Manage upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery.
o Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
• CI/CD integration (DevSecOps)
o Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
o Standardize developer "secure-by-default" workflows: pull request checks, nightly scans, release readiness criteria.
o Build reusable templates and reference implementations for product teams.
• Security policy, tuning, and governance
o Define and tune scanning policies (severity thresholds, exploitability context, allowlists/denylists, quality gates) aligned to agency standards.
o Reduce false positives/negatives through rule tuning, calibration, and developer feedback loops.
o Maintain an auditable vulnerability management workflow: triage, ownership, remediation SLAs, and exception/waiver documentation.
• Vulnerability triage & remediation enablement
o Provide actionable findings with clear reproduction steps and secure coding guidance.
o Partner with engineering teams to remediate issues in code, dependencies, container images, and Kubernetes configurations.
o Coordinate retesting and verify fixes (including targeted Burp validation for high-risk apps/APIs).
• Container/Kubernetes security (StackRox)
o Implement image scanning, runtime detections, admission controls, and Kubernetes policy enforcement.
o Integrate with registries and orchestration platforms; maintain cluster baselines and least-privilege controls.
o Operationalize incident-ready detections and response playbooks with SOC/IR teams.
• Reporting, compliance, and audit support
o Produce metrics and dashboards: vulnerability trends, time-to-remediate, pipeline pass rates, policy exceptions.
o Support Risk Management Framework (RMF) / Authority to Operate (ATO) evidence needs with scan outputs, control mappings, and procedures.
o Experience supporting Agile project management, with hands-on Jira experience strongly preferred
o Manage a team of at least one other AppSec professional
Required Qualifications
• Active Secret clearance required
• 5+ years in application security engineering and/or DevSecOps in regulated environments.
• Hands-on administration and pipeline integration experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite (Professional/Enterprise preferred).
• Strong CI/CD and automation skills; ability to implement repeatable integrations and policy gates.
• Working knowledge of:
o Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security
o Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP)
o Common languages/build systems (e.g., Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip)
o Oracle Cloud Infrastructure
Preferred Qualifications
• DoD/IC experience with RMF, STIGs, and vulnerability management processes.
• Familiarity with registries and orchestration: Harbor/Artifactory/ECR, Kubernetes/OpenShift, Helm.
• Experience integrating with SIEM/SOAR and ticketing (e.g., Splunk, ServiceNow, Jira).
• Relevant certifications (one or more): Security+, CISSP, CSSLP, GIAC, Kubernetes security certs.
Job Types: Full-Time
Salary: $140k-$150k
Schedule: Monday-Friday
Benefits:
• 401(k) matching
• Full Medical
• Paid time off
• Professional development assistance
STEELGATE LLC is a Service-Disabled, Veteran-Owned Small Business (SDVOSB) that prides itself in hiring top-level Subject Matter Experts (SME's) proven to exceed deliverable expectations. STEELGATE LLC is focused on solving the hard problems facing our government and commercial clients. Our success lies in blending together relevant domain/functional knowledge with deep expertise in Information Technology, Cybersecurity, Defensive Cyber Operations, cloud-based DevSecOps, Data Analytics & AI, Acquisition and Acquisition Management, and more. STEELGATE LLC has a positive, inclusive workplace environment where all team members and partners work towards mutual success. We have established a reliable reach-back program whereas all SMEs are available to support, advise and directly complete mission deliverables when necessary. STEELGATE LLC has a worldwide reputation as a valued and trustworthy partner. Our can-do attitude and willingness to support any mission requirement sets us apart from other small business organizations. Find out more about STEELGATE LLC @ www.steelgatellc.com.
We are an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.
| Full-Time | Remote | Secret Clearance
We are seeking an Application Security Tooling Engineer to design, operate, and continuously improve the a defense agency's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). This position will run and integrate software composition analysis (SCA) with Sonatype, static application security testing (SAST) with Fortify, container/Kubernetes security with Red Hat Advanced Cluster Security (StackRox), and dynamic application security testing (DAST) with Burp Suite-ensuring scalable, auditable, mission-ready security controls in regulated environments. The ideal candidate is comfortable performing tool assessments and recommendations to Senior Executive leaders (in commercial/Federal) to potentially reduce tools, but is comfortable operating all tools listed.
Key Responsibilities
• Platform ownership & operations
o Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp in on-prem and/or accredited cloud environments. The strongest candidates possess Oracle Cloud experience/certifications.
o Manage upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery.
o Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
• CI/CD integration (DevSecOps)
o Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
o Standardize developer "secure-by-default" workflows: pull request checks, nightly scans, release readiness criteria.
o Build reusable templates and reference implementations for product teams.
• Security policy, tuning, and governance
o Define and tune scanning policies (severity thresholds, exploitability context, allowlists/denylists, quality gates) aligned to agency standards.
o Reduce false positives/negatives through rule tuning, calibration, and developer feedback loops.
o Maintain an auditable vulnerability management workflow: triage, ownership, remediation SLAs, and exception/waiver documentation.
• Vulnerability triage & remediation enablement
o Provide actionable findings with clear reproduction steps and secure coding guidance.
o Partner with engineering teams to remediate issues in code, dependencies, container images, and Kubernetes configurations.
o Coordinate retesting and verify fixes (including targeted Burp validation for high-risk apps/APIs).
• Container/Kubernetes security (StackRox)
o Implement image scanning, runtime detections, admission controls, and Kubernetes policy enforcement.
o Integrate with registries and orchestration platforms; maintain cluster baselines and least-privilege controls.
o Operationalize incident-ready detections and response playbooks with SOC/IR teams.
• Reporting, compliance, and audit support
o Produce metrics and dashboards: vulnerability trends, time-to-remediate, pipeline pass rates, policy exceptions.
o Support Risk Management Framework (RMF) / Authority to Operate (ATO) evidence needs with scan outputs, control mappings, and procedures.
o Experience supporting Agile project management, with hands-on Jira experience strongly preferred
o Manage a team of at least one other AppSec professional
Required Qualifications
• Active Secret clearance required
• 5+ years in application security engineering and/or DevSecOps in regulated environments.
• Hands-on administration and pipeline integration experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite (Professional/Enterprise preferred).
• Strong CI/CD and automation skills; ability to implement repeatable integrations and policy gates.
• Working knowledge of:
o Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security
o Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP)
o Common languages/build systems (e.g., Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip)
o Oracle Cloud Infrastructure
Preferred Qualifications
• DoD/IC experience with RMF, STIGs, and vulnerability management processes.
• Familiarity with registries and orchestration: Harbor/Artifactory/ECR, Kubernetes/OpenShift, Helm.
• Experience integrating with SIEM/SOAR and ticketing (e.g., Splunk, ServiceNow, Jira).
• Relevant certifications (one or more): Security+, CISSP, CSSLP, GIAC, Kubernetes security certs.
Job Types: Full-Time
Salary: $140k-$150k
Schedule: Monday-Friday
Benefits:
• 401(k) matching
• Full Medical
• Paid time off
• Professional development assistance
STEELGATE LLC is a Service-Disabled, Veteran-Owned Small Business (SDVOSB) that prides itself in hiring top-level Subject Matter Experts (SME's) proven to exceed deliverable expectations. STEELGATE LLC is focused on solving the hard problems facing our government and commercial clients. Our success lies in blending together relevant domain/functional knowledge with deep expertise in Information Technology, Cybersecurity, Defensive Cyber Operations, cloud-based DevSecOps, Data Analytics & AI, Acquisition and Acquisition Management, and more. STEELGATE LLC has a positive, inclusive workplace environment where all team members and partners work towards mutual success. We have established a reliable reach-back program whereas all SMEs are available to support, advise and directly complete mission deliverables when necessary. STEELGATE LLC has a worldwide reputation as a valued and trustworthy partner. Our can-do attitude and willingness to support any mission requirement sets us apart from other small business organizations. Find out more about STEELGATE LLC @ www.steelgatellc.com.
We are an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.
group id: 91133289
