Applications Security Engineer - iQuasar
Norfolk, VA
About the Job
Job Summary:
The Applications Security Engineer functions to provide detailed analysis of development and COTS solutions web and client/server application security. The Application Security Engineer serves the needs of the agency by validating security controls and technical approaches for application security.
Additionally, Application Security Engineer shall assess the existing controls and recommend new solutions and policies to improve agency's security posture, act as a security subject matter expert on all projects and initiatives, and work to improve the end user cybersecurity awareness.
Essential Job Functions:
Develop security awareness, guidance, and socialization materials for training, for internal applications teams.
Review and provide consulting for IT security team members as part of security reviews and investigations.
Monitor and investigate application security logs.
Develop implement and improve application security logging, alerts, and incident response capabilities.
Perform Cross functional internal teams and assist with architecture, threat modeling, and reviewing systems and infrastructure to identify vulnerabilities and weaknesses in architecture.
Make appropriate vulnerability remediation recommendations, create socialization and technical analysis documentation, and collaborate with teams to implement those recommendations.
Conduct vulnerability research and analysis for emerging threats, best practices, and architectural models for application architecture and dependencies.
Audit, validate, and track application architecture vulnerabilities across presentation, data management and integration levels to report and prioritize risk to businesses.
Perform Application penetration testing to examine target systems in detail, looking for vulnerabilities and weaknesses.
Identify and implement application level security technical and process vulnerability remediations and improvements.
Define and own metrics to determine effectiveness of security controls.
Apply comprehensive hardening to infrastructure platforms, deployment code, and images.
Architect, build, automate, and operate automated security controls/tools and review capabilities to detect vulnerabilities across all applications and services.
Development of Web Applications and Dashboards using front-end languages, such as HTML, Java, JavaScript, PHP, .NET, SQL etc.
Create and maintain Secure Software Development Life Cycle (SDLC) and secure SDLC models documentation for application development teams.
Review, create and maintain security requirements of an application while in development.
Define, maintain, and enforce application security polices, standards, and procedures.
Perform manual and automated code review of applications.
Assess track and prioritize vulnerabilities of applications.
Provide detailed analysis and mitigations based on assessments and testing of applications.
Prioritize remediation based on security ratings and the needs of the business.
Create socialization and guidance materials for Security standards.
Lead Application Security Event Forensic Root Cause Analysis.
Collaborate with incident coordinators and report to management of findings in real time.
Perform IT Security Triage, Scoping, and Containment, and Mitigation activities in coordination with application owners.
Complete documentation of IT Security events.
Required Abilities and Skills Essential to Job Functions:
Proficiency with Application vulnerability scanning and penetration tools such as BurpSuite, AppSpider, Kali, etc.
Proficiency with Scripting and Coding languages including Powershell and Python, or similar in a Windows Environment.
Be a champion for security culture and excellence, exercise risk-based judgement and prioritize remediation work.
Knowledge of IT control concepts such as zones of trust, zero trust, and privileged access management.
Ability to self-manage with limited oversight.
Excellent written and oral communication skills.
Excellent interpersonal skills.
Excellent judgment and problem-solving skills.
Strong Knowledge of OWASP Top 10.
Strong knowledge of application threat modeling.
Static application security testing and dynamic application security testing.
Ability to review and walkthrough code in real time for application code and script review.
Ability to troubleshoot modern identification and integration services implementations.
Qualifications:
Bachelor's degree in Computer Science, Application Development, Cybersecurity, or related field.
Licenses or Certificates:
Security+, SSCP, or CySA+ Certification
Experience:
Published work or contributions in related subject matter.
Penetration Testing, Application Forensic and threat hunting certifications are a plus.
Certified Application Security Engineer (CASE) or equivalent certification preferred.
One (1) to three (3) years of experience in system/network security functional position in Windows environments.
Familiarity with Linux.
Experience developing quantitative evaluation metrics through the automation of analytics data collection and parsing.
Experience with CIS, NIST, controls and other frameworks for on-prem and cloud environments
Experience with Structured and Unstructured Data.
Experience with Container platforms such as Docker.
Experience with Regex, log analytics and application log parsing.
Minimum three (3) to five (5) Years in Application, Web, and/or Database Management
Minimum one (1) to two (2) years of work experience in an Application Security function.
Experience with integration systems including managed file transfers, privileged access management and integration platforms as a service.
Experience with Oracle and Microsoft Database environments
Experience working in Virtualized and Cloud environments
Experience with identity protection services such as Azure Identity Protection Services
Experience implementing Azure MFA integrations.
Experience with implementing modern authentication structures for authentication SAML, OIDC, and OAuth.
Experience with Solution as a service and other cloud model architecture.
Experience with AWS, Azure environments including log review, analytics, and security services.
Experience testing APIs and mitigating open API vulnerabilities.
Experience in pen testing and the MITRE Telecommunication&CK framework.
Experience troubleshooting Application and Operating system interactions
Experience in Transit and Operational Technologies a plus.
Special Requirements:
This position is classified as an On-Call position for 24/7 for Emergency Response.
This position is classified as essential personnel.