Lead Application Security Engineer

Position Description:

The key responsibilities of this position are to carry out the agency’s application security engineering programs.  This includes vulnerability detection, verification, and mitigation in applications and databases via dynamic and static testing, applying baseline security requirements, security architecture and engineering standards and guidelines; and delivering secure architecture and design.

Education and Experience:  

  • B.S. or equivalent experience in the Information Security or related field.

  • Extensive knowledge of government security regulations, such as NIST SP 800-53, and have prior experience in defining security requirements that can satisfy all relevant government security and privacy regulations and guidelines.

  • 7-10 years of experience in designing secure systems, applications, databases, and extensive experience in integrating the solution with multiple other applications and systems.

  • Proficient in manual and automated static code analysis.

  • Proficient in dynamic vulnerability analysis tools and penetration testing techniques.

  • Must be comfortable working in conjunction with various levels of management and teams to accomplish agency goals.

  • Highly ethical, analytical, team-oriented, flexible, inquisitive, and logical.

  • Strong sense of urgency with ability to multi-task, take initiative, and follow-through.

  • Demonstrated ability to lead and manage security and projects.

  • Ability to use consensus building, negotiation, coalition building, and conflict resolution techniques sufficient to establish and maintain effective communication channels with multiple stakeholders and teams.

  • Good at providing security services to multiple teams, and be able to interact appropriately in highly charged emotional situations.  Must be able to justify and defend matters involving significant or sensitive issues. Skill in effectively working with personnel and managers with divergent educational and cultural backgrounds.

  • Proficiency with the Microsoft Office suite of products, (i.e., Word, Excel, PowerPoint).

  • After-hours support may be required

Required Skills and Competencies:

  • Successful candidate is subject to a background investigation by the government and must be able to meet the requirements to hold a Public Trust clearance. 

  • Extensive knowledge static (source code) and dynamic (runtime application) vulnerability analysis

    • Keen awareness of top application security vulnerabilities and mitigation methods (OWASP TOP 10, SANS 25, etc.)

    • Must be able look at application source code, find its security vulnerabilities (CSRF, XSS, SQL Injection, Buffer / Heap Overflow, etc.) and recommend remediation

    • Proficient in dynamic vulnerability analysis tools and penetration testing techniques.  Tools may include, but are not limited to, IBM AppScan, HP WebInspect, Burp Suite, BackTrack, soapUI Pro, SamuraiWTF, Metasploit, AppScan Source, Fiddler, and Kali Linux

    • Extensive software development experience in J2EE or Microsoft.Net (C#, Visual Studio.Net, etc.)

    • Data structure and database level vulnerability analysis using tools such as AppDetective or DBProtect

  • Must have demonstrated an in-depth knowledge with federal government security and privacy guidelines, such as NIST SP 800-53 and NIST SP 800-122. The candidate must have the demonstrated ability to perform compliance oriented scans in support of Continuous Monitoring and generate reports that map vulnerability findings against NIST controls.  The candidate has prior experience to translate government mandates and regulations into system requirements and specifications.

  • Detailed knowledge of virtualization concepts, IPv4/v6 internetworking, configuring firewalls using iptables, patch management and best practices.  Experienced in deployment and management of VMWare ESXi, Workstation and Player environments. Good working knowledge of RedHat Enterprise Linux, CentOS, Fedora, Ubuntu, SSH, RDP, and VNC.

  • Good knowledge/experience with vulnerability scanning and analysis of traditional web applications; web applications in Amazon AWS/GovCloud; Mobile penetration testing; and SOAP and RESTful web services.

  • Ability to communicate effectively with all levels of management and staff both orally and in writing sufficient to develop and deliver briefings, project papers, status reports, and correspondence to report security vulnerabilities and its impact, show the benefits of vulnerability testing and code review, lead meetings, generate management reports, defend vulnerability scanning results to development community, foster understanding, and promote the acceptance of the application security program.

  • Must have the ability to translate, both orally and in writing, technical security concepts into terms that can be understood by co-workers, technical and administrative personnel, and managers who are not security professionals.

Desired Skills:

  • Good at providing security services to multiple teams, and be able to interact appropriately in highly charged emotional situations.  Must be able to justify and defend matters involving significant or sensitive issues. Skilled in effectively working with personnel and managers with divergent educational and cultural backgrounds.

  • Must have prior experience in product/service (COTS and SaaS) evaluation, vendor selection, and coordinating product/service integration.

  • Ability to use consensus building, negotiation, coalition building, and conflict resolution techniques sufficient to establish and maintain effective communication channels with multiple stakeholders and teams.

Centricity seeks highly-experienced professionals who can quickly adapt to our clients’ dynamic environments. Centricity employs passionate and dedicated multidisciplinary professionals with expertise spanning the realm of IT and management consulting services. To apply, please send a cover letter, resume & availability to careers@centricity-us.com.




Jen Coy