Application Security Engineer SME (IMC00585)

The SME application security engineer will support and provide expertise to a successful cybersecurity and privacy program for a government customer. The SME will be responsible for designing, implementing, and maintaining secure systems and networks. The SME application security engineer will work closely with cross-functional teams, including IT, network engineering, and cybersecurity, to ensure that systems and networks are secure, compliant with applicable regulations, and protected against unauthorized access and other security risks.

Duties/Responsibilities: This position will include, but is not limited to, the following tasks:

• Advise on the security architecture of new technology projects.
• Evaluate and provide recommendations on third-party applications and services and the security implications associated with their use.
• Instrument and perform anomaly code analysis of systems and applications.
• Discover new and interesting security problems and provide resolutions.
• Build, deploy, and maintain instrumentation and security controls in and around existing code.
• Work closely with application development and infrastructure architectural teams to create code secure by design and default.
• Create programmatic code review and penetration test applications to decrease potential introduction of vulnerabilities within code.
• Contribute to vulnerability detection and remediation of technological offerings.
• Deploy developed or off-the-shelf (OTS) security applications to support team efforts.
• Participate in a cross-functional response to cyber security incidents.
• Perform Static Code Analysis.
• Perform dynamic application security testing (DAST).
• Configure platform specific DAST scan libraries to better aide in the evaluation of applications.
• Support the planning, designing, and architecting of a multi-technology cyber solution.
• Aide in security engineering tasks as related to the ATO process of systems.
• Develop and maintain security policies as related to development best practices.
• Investigate to determine root causes of security issues to perform troubleshooting and problem resolution to restore services.
• Develop, present, and implement sound recommendations for remediation.
• Provide guidance and support security activities in relation to application vulnerability analysis.
• Document and inform management with information about security information and event management.
• Create and update system design documentation.
• Remotely manage and troubleshoot cybersecurity tool-related servers.
• Provide research and analysis in support of expanding programs and area of responsibility.
• Assess information assurance and security requirements based upon the analysis of user, policy, regulatory, and resource demands.
• Apply know-how to government and commercial common user systems, as well as to dedicated special purpose systems requiring specialized security features and procedures.
• Perform analysis of security features for system architectures.
• Provide knowledge and guidance in NIST, FISMA, Agency Information Security and Privacy, and Cloud Guidelines.

Basic Required Qualifications and Skills:  Note: These are mandatory items that all candidates must have when making application to IMC for this position. Please ensure that your submission addresses each of these requirement items. Candidates without these required elements will not be considered.

• Bachelor's degree in business, information technology, or related field of study.
  • 10 years of experience in computer security may substitute for degree.
• Seven or more years of experience in cybersecurity.  
• At start date, must possess one of the following professional certifications in ACTIVE status:
  • CISM, CISSP, GSLC, CEH, LPT, CPT (similar level certifications considered on a case-by-case basis).
• Experience demonstrating strong analytical, troubleshooting, and problem-solving skills for cybersecurity.
• Excellent in oral, written, and verbal communication skills.
• Knowledge of:
  • NIST Cybersecurity and Risk Management frameworks and associated requirements.
  • Risk management processes (e.g., methods for assessing and mitigating risk).
  • Cybersecurity/privacy principles and cyber threats and vulnerabilities.
• Excellent knowledge of Networking Protocols (TCP/IP, SNMP, DNS, DHCP, ISCSI).
• Experience implementing, running, and maintaining tools and/or processes to reliably identify security issues such as SQLi, XSS, CSRF, and business logic flaws across large code bases (SAST, DAST, PenTesting, Security Unit Testing).
• Knowledgeable regarding browser security controls (CSP, XFO, HSTS), web application security topics such as OWASP Top 10, and authentication infrastructure (SAML, OAUTH).
• Experience with Webinspect, BurpSuite.
• Expertise with Sonar Qube.
• Splunk Power User.
• Pursuant to a government contract, this specific position requires U.S. Citizenship.
• Must possess or be able to obtain a federal background investigation of Tier 4 Critical Non-Sensitive (Form SF 85P).

Desired Qualifications and Skills:  It is desirable that the candidate has the following qualifications:

Experience in one of more of the following areas:

• Zero Trust,
• AWS Certified Architect,
• Cyber development, engineering, and architecture,
• Splunk administration,
• Crafting and authoring cyber policy,
• DevSecOps Engineering,
• Linux administration,
• Kubernetes,
• Ansible, and/or
• Technical Security Control and configuration of proprietary applications.