Web Application Security Engineer (Senior)

Job Requirements:

·        Strong written and verbal communication skills.

·        Must have an ability to communicate effectively, verbally and in writing, to interact effectively with internal and external vendors, project team members, management and agency departments, to build relationships and use facilitation skills with both technical and non-technical personnel.  

·        Security Engineer Maintained CompTIA Security Professional (Security ), CISSP and/or CEH certification for 5 consecutive years

·        5 consecutive years of systems assessment and authentication experience.

·        Proficient in Federal Information Security Management Act Metrics and Compliance Federal Information Processing Standards (FIPS)3 years hands on compliance testing experience Oracle Certified Professional or equivalent CIS Benchmarks.  

·        Splunk Certification or obtaining certification; knowledgeable in the use of Splunk Dashboards and audit data generation to support cyberattack investigations.

·        Detailed technical knowledge of database and operating system security.

·        Hands on experience in security systems and controls, including firewalls, intrusion detection systems, anti-virus software, authentication systems, log management, content filtering, etc.

·        Experience developing web applications in PHP, Java, .NET or JavaScript. Experience with OW ASP a plus. Experience with application security assessment tools such as: Web Inspect, Fortify, Burp Suite, etc.

·        Experience in engineering or assessing the security of cloud, SaaS, and multi-tenanted applications including designing authentication and authorization requirements.

Certifications/Licenses:

·        Bachelor’s degree or higher

·        10 years’ experience in security engineering in mid to large environments.

·        Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, system security, network infrastructure, access control, cryptography, assessments and audits, and organizational security

·        Active Public Trust clearance or eligible to obtain a Public Trust clearance

Additional Experience Preferred:

·        In-depth knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

·        Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools.

·        Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

·        Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs.

·        Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

·        Experience designing the integration of hardware and software solutions.

·        Experience in developing and applying security system access controls.

·        Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

·        Skill in evaluating the adequacy of security designs and conducting reviews of technical systems.

·        Skill in the use of design modeling (e.g., unified modeling language).

·        Ability to apply secure system design tools, methods and techniques and ensure security practices are followed throughout the acquisition process.

Position Responsibilities:

·        Evaluation of common security controls for internal and external web applications, client server systems and assist in the development of standardized technical implementation recommendations.

·        Track and update Acceptable Baseline Configuration deviations and false positives monthly to ensure accuracy

·        Automate technical security checks/audits throughout all components of applications (database, middleware, application code, servers, CI/CD pipeline )

·        Review/Preliminary Investigation for False Positives (FP).  Coordinates completion of False Positive form with ISSO signature and OIS signature approval.

·        Reports identified technical vulnerabilities. As a further way of sharing information about vulnerabilities, maintains contact with ISSO and stakeholders with the same types of systems to determine standardized remediation going forward.

·        Source Code Reviews / Deep Dives

·        Security assessment support of new ECON Security Architecture and Topologies

·        Technical writing for developing security standards and policies

·        Adjudications of Technical Findings,

·        Direct HP Fortify and/or HP Web Inspect hands on experience for system related vulnerability scanning Burp Suite

·        Visualization Reports

·        Automation of Audits

·        Automation of Config Benchmarks