Application Security Tooling Engineer (Senior)

Overview
We are seeking an Application Security Tooling Engineer to design, operate, and continuously improve a defense agency’s application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). This position involves managing and integrating tools such as Sonatype, Fortify, StackRox, and Burp Suite to ensure scalable, auditable, mission-ready security controls in regulated environments. The role requires collaboration with senior leaders to assess and recommend tools, optimize workflows, and support security policies.

Education & Certification Requirements
Not specified.

Clearance Requirements
Secret clearance required; Interim Secret clearance accepted.

Onsite Requirements
This role is a remote opportunity.

Responsibilities

• Deploy, configure, harden, and maintain AppSec scanning tools in on-prem and cloud environments.
• Manage tool upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery.
• Establish SLAs/SLOs, monitoring, alerting, and operational runbooks.
• Integrate security tools into CI/CD pipelines with policy-based gating and risk management.
• Standardize secure developer workflows, including pull request checks, nightly scans, and release criteria.
• Develop reusable templates and reference implementations for development teams.
• Define and tune scanning policies to reduce false positives/negatives, aligning with agency standards.
• Maintain an auditable vulnerability workflow, including triage, remediation, and documentation.
• Provide actionable findings with clear remediation guidance and partner with engineering teams on fixing issues.
• Implement image scanning, runtime detections, admission controls, and policy enforcement in Kubernetes.
• Produce metrics and dashboards to monitor vulnerability trends, remediation times, and policy compliance.
• Support compliance and audit activities by providing scan outputs, control mappings, and procedures.

Qualifications

• Active Secret clearance required.
• At least 5 years of experience in application security engineering and/or DevSecOps within regulated environments.
• Hands-on experience with Sonatype (Nexus IQ), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite.
• Strong CI/CD and automation skills, with the ability to develop repeatable integrations and policy gates.
• Working knowledge of Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security.
• Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP).
• Familiarity with common build systems and languages such as Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip.
• Experience with Oracle Cloud Infrastructure is preferred.

Desired Skills

• DoD/IC experience with RMF, STIGs, and vulnerability management processes.
• Familiarity with registries and orchestration platforms such as Harbor, Artifactory, ECR, Kubernetes, OpenShift, Helm.
• Experience with SIEM/SOAR systems and ticketing platforms like Splunk, ServiceNow, Jira.
• Relevant certifications, including Security , CISSP, CSSLP, GIAC, or Kubernetes security certifications.