Posted today
Secret
Unspecified
Unspecified
IT - Security
Washington, DC (On-Site/Office)
ABOUT PRISM:
PRISM is devoted to modernization and innovation within the world of technology, security, and IT enterprise solutions. We are recognized for meeting performance requirements and exceeding customer expectations since 1994. Our culture is founded on relationships, opportunity, and success. Offering comprehensive benefit plans including medical, dental, vision, and 401K along with our people - first approach sustains our reputation as a premier employer.
PRISM is seeking an Application Security Tooling Administrator to help design, operate, and continuously improve a mission-critical agency's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). In this role, it will run and integrate software composition analysis with Sonatype, static application security testing (SAST) with Fortify, container/Kubernetes security with Red Hat Advanced Cluster Security (StackRox), and dynamic application security testing (DAST) with Burp Suite-ensuring scalable, auditable, mission-ready security controls in regulated environments. This position is 100% remote and requires East Coast operational hours.
KEY RESPONSIBILITIES:
Platform ownership & operations
Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp in on-prem and/or accredited cloud environments. The strongest candidates possess Oracle Cloud experience/certifications.
Manage upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery.
Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
CI/CD integration (DevSecOps)
Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
Standardize developer "secure-by-default" workflows: pull request checks, nightly scans, release readiness criteria.
Build reusable templates and reference implementations for product teams.
Security policy, tuning, and governance
Define and tune scanning policies (severity thresholds, exploitability context, allowlists/denylists, quality gates) aligned to agency standards.
Reduce false positives/negatives through rule tuning, calibration, and developer feedback loops.
Maintain an auditable vulnerability management workflow: triage, ownership, remediation SLAs, and exception/waiver documentation.
Vulnerability triage & remediation enablement
Provide actionable findings with clear reproduction steps and secure coding guidance.
Partner with engineering teams to remediate issues in code, dependencies, container images, and Kubernetes configurations.
Coordinate retesting and verify fixes (including targeted Burp validation for high-risk apps/APIs).
Container/Kubernetes security (StackRox)
Implement image scanning, runtime detections, admission controls, and Kubernetes policy enforcement.
Integrate with registries and orchestration platforms; maintain cluster baselines and least-privilege controls.
Operationalize incident-ready detections and response playbooks with SOC/IR teams.
Reporting, compliance, and audit support
Produce metrics and dashboards: vulnerability trends, time-to-remediate, pipeline pass rates, policy exceptions.
Support Risk Management Framework (RMF) / Authority to Operate (ATO) evidence needs with scan outputs, control mappings, and procedures.
Experience supporting Agile project management, with hands-on Jira experience strongly preferred
REQUIRED QUALIFICATIONS: (SKILLS/EDUCATION):
3+ years in application security engineering and/or DevSecOps in regulated environments.
Hands-on administration and pipeline integration experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS.
8570-8140 Compliant IAT II (CompTIA Security +CE or similar)
Strong CI/CD and automation skills; ability to implement repeatable integrations and policy gates.
Working knowledge of Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security
Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP)
Common languages/build systems (e.g., Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip)
Oracle Cloud Infrastructure
REQUIRED SECURITY CLEARANCE:
Active DoD Secret Clearance
PREFERRED QUALIFICATIONS:
DoD/IC experience with RMF, STIGs, and vulnerability management processes.
Burp Suite (Professional Enterprise)
Familiarity with registries and orchestration: Harbor/Artifactory/ECR, Kubernetes/OpenShift, Helm.
Experience integrating with SIEM/SOAR and ticketing (e.g., Splunk, ServiceNow, Jira).
Relevant certifications (one or more): Security+, CISSP, CSSLP, GIAC, Kubernetes security certs.
PRISM is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status, or any other protected class.
PRISM is devoted to modernization and innovation within the world of technology, security, and IT enterprise solutions. We are recognized for meeting performance requirements and exceeding customer expectations since 1994. Our culture is founded on relationships, opportunity, and success. Offering comprehensive benefit plans including medical, dental, vision, and 401K along with our people - first approach sustains our reputation as a premier employer.
PRISM is seeking an Application Security Tooling Administrator to help design, operate, and continuously improve a mission-critical agency's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). In this role, it will run and integrate software composition analysis with Sonatype, static application security testing (SAST) with Fortify, container/Kubernetes security with Red Hat Advanced Cluster Security (StackRox), and dynamic application security testing (DAST) with Burp Suite-ensuring scalable, auditable, mission-ready security controls in regulated environments. This position is 100% remote and requires East Coast operational hours.
KEY RESPONSIBILITIES:
Platform ownership & operations
Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp in on-prem and/or accredited cloud environments. The strongest candidates possess Oracle Cloud experience/certifications.
Manage upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery.
Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
CI/CD integration (DevSecOps)
Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
Standardize developer "secure-by-default" workflows: pull request checks, nightly scans, release readiness criteria.
Build reusable templates and reference implementations for product teams.
Security policy, tuning, and governance
Define and tune scanning policies (severity thresholds, exploitability context, allowlists/denylists, quality gates) aligned to agency standards.
Reduce false positives/negatives through rule tuning, calibration, and developer feedback loops.
Maintain an auditable vulnerability management workflow: triage, ownership, remediation SLAs, and exception/waiver documentation.
Vulnerability triage & remediation enablement
Provide actionable findings with clear reproduction steps and secure coding guidance.
Partner with engineering teams to remediate issues in code, dependencies, container images, and Kubernetes configurations.
Coordinate retesting and verify fixes (including targeted Burp validation for high-risk apps/APIs).
Container/Kubernetes security (StackRox)
Implement image scanning, runtime detections, admission controls, and Kubernetes policy enforcement.
Integrate with registries and orchestration platforms; maintain cluster baselines and least-privilege controls.
Operationalize incident-ready detections and response playbooks with SOC/IR teams.
Reporting, compliance, and audit support
Produce metrics and dashboards: vulnerability trends, time-to-remediate, pipeline pass rates, policy exceptions.
Support Risk Management Framework (RMF) / Authority to Operate (ATO) evidence needs with scan outputs, control mappings, and procedures.
Experience supporting Agile project management, with hands-on Jira experience strongly preferred
REQUIRED QUALIFICATIONS: (SKILLS/EDUCATION):
3+ years in application security engineering and/or DevSecOps in regulated environments.
Hands-on administration and pipeline integration experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS.
8570-8140 Compliant IAT II (CompTIA Security +CE or similar)
Strong CI/CD and automation skills; ability to implement repeatable integrations and policy gates.
Working knowledge of Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security
Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP)
Common languages/build systems (e.g., Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip)
Oracle Cloud Infrastructure
REQUIRED SECURITY CLEARANCE:
Active DoD Secret Clearance
PREFERRED QUALIFICATIONS:
DoD/IC experience with RMF, STIGs, and vulnerability management processes.
Burp Suite (Professional Enterprise)
Familiarity with registries and orchestration: Harbor/Artifactory/ECR, Kubernetes/OpenShift, Helm.
Experience integrating with SIEM/SOAR and ticketing (e.g., Splunk, ServiceNow, Jira).
Relevant certifications (one or more): Security+, CISSP, CSSLP, GIAC, Kubernetes security certs.
PRISM is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status, or any other protected class.
group id: PRISMVA
