OverviewWe are currently hiring for a Security Engineer.
Responsibilities
- Provide hands-on technical subject matter expertise with respect to setting up and administering Fortify SSC, Fortify Security Assistant IDE Plugin, OWASP ZAP, and Audit Workbench. Anticipate expanding to SonaType.
- Administer applications and users.
- Field troubleshooting questions for developers (i.e., connections to pipelines)
- Field troubleshooting questions for front-end users (testers, security analysts -- "is this a false positive?", etc)
- Work with Project teams to review vulnerabilities.
- Familiar with Windows Server
- Work autonomously in an area of specialization to analyze internal security and provide relevant information to internal and external customers, suppliers, and partners.
- Have skill sets to perform computer incident response and remediation practices as outlined in NIST 800-61 (Computer Security Incident Handling Guide) and DHS 4300A Sensitive Systems Policy Handbook, Attachment F Incident Response. The staff will assist the Security Operation Center (SOC) on incident response actions for security incidents affecting the Cloud environment.
- Assist with the implementation of monitoring capabilities for various audiences – developers, business owners, security, and infrastructure; analyze all platform level, network changes and monitor impact and provide appropriate technical solutions to resolve issues efficiently; evaluate and document operating baseline according to required standards.
- Perform other duties as assigned by the Government.
Qualifications
- Must have hands-on expertise with respect to setting up and administering Fortify SSC, Fortify Security Assistant IDE Plugin, OWASP ZAP, and Audit Workbench
- Have and maintain at least one active certification such as CISSP, CCISSP, CEH, CISM, CISA, Cloud+, CCSP, or other comparable certification which must be approved in advance by the Government PM (on a case-by-case basis)
- Minimum of five (5) years of experience in security engineering or security operations
- Experience in security process mapping, security process analysis, security process improvement concepts, models, and best practices
- Experience with cloud Platform as a Service (PaaS), Software as a Service (SaaS) and other cloud services
- Experience with Continuous Integration (CI)/Continuous Delivery (CD) - Deployment pipeline experience (Jenkins, Ansible, Terraform)
- Experience or a strong knowledge of Data at Rest Application Programing Interface (API) design
- Experience or a strong knowledge of programming languages (Python, Java etc.)
- Experience or a strong knowledge of container/orchestration tools (Kubernetes, Docker, Puppet, etc)
- Have a deep understanding of API Security, Container Security, Cloud Security
- Advanced Microsoft Excel and Access skills to perform extensive data mining, correlation, and reporting
- Contractor shall be staffed in the Washington, DC metropolitan area, unless explicitly approved by the Government PM
- Experience working with NIST SP 800-53, RMF, FISMA, DHS and DoD policies
- Some other tools besides Fortify that if they appear on the candidate’s experience could be reasonable substitutes:
- CAST
- Code Compare
- CodeScene Behavioral Code Analysis
- CodeSonar
- Coverity
- Embold
- Fortify Static Code Analyzer
- Parasoft
- PVS-Studio
- Raxis
- reshift
- RIPS Technologies
- SmartBear Collaborator
- Understand
- Visual Expert
- Veracode
- Excellent customer service, analytical, problem solving, team-building, and interpersonal skills
- Ability to work independently and function as an integral part of the team
- Excellent oral and written communication skills; technical and business focused, with the ability to document and describe security process information collected
- Listening skills, the ability to detect explicit and implicit needs and wants
- Demonstrated ability to exercise good judgment, prioritize multiple tasks, and problem solve under pressure of deadlines and resource constraints
- Proven experience in building consensus and managing cross-functional teams
Clearance Requirements:
- Must have an Active Secret clearance or higher.