The Civil Health Operation is seeking a Sr. Application Security Engineer in Bethesda, MD who will support all aspects of security in the Agile SDLC (design and code reviews, researching and recommending security tools and practices both for development and testing, perform security testing, able to use/script security testing tools, train developers/testers, etc.)
The candidate will provide testing support for all software applications tiers including front-end functional testing, middle-tier testing of web services and other APIs and testing back end ETL and other data processes. In addition, the candidate is expected to perform security testing and leading test automation effort. Candidate may also participate in requirements reviews to provide feedback on requirements and to ensure that functional requirements are testable and adequately documented to drive the test process. The candidate should be able to write test plans and think of testing strategy for each release.
• DevSecOps Process, Tools, Training
o Defining, developing, implementing and training secure coding and testing strategies, standards and practices with a focus on automation to help our customer achieve their DevSecOps
o Providing recommendations for security testing tools to be included in the the program's CI/CD pipeline to achieve DevSecOps and support the adoption of the selected tools
o Developing and maintaining the program security backlog and coordinating with the teams to ensure security backlog items are incorporated into the teams' backlogs
o Facilitating our Security Hack Days and other application security training activities
o Setting up the tools and processes for security testing across all applications.
o Documenting technical issues identified throughout the SDLC.
o Helping developers and testers in adopting agile and security test strategies
o Supporting our metrics program by keeping track and gather metrics on all activities.
• Security Testing and Team Support
o Collaborating with delivery teams to refine the product backlog items to include security requirements/acceptance criteria (evil user stories)
o Application source code review.
o Executing and reporting security tests.
o Identifying regression test candidates for automation, planning automation activities across the team and automating test cases.
o Web and mobile application penetration testing.
o Vulnerability assessments, exploratory testing, penetration testing (external & internal), to include vulnerability exploitation and pivoting to gain remote system access.
o Reporting defects, tracking, validating and closing.
o Estimating test case writing and execution effort and keeping track of own and team progress.
o Test case authoring and holding test case reviews with stakeholders.
o Execution of test cases including functional, regression, performance, load and smoke tests for both web applications and database.
o Recording test results and reporting them.
o Participation in daily scrum meetings, agile ceremonies and weekly test team meetings.
o Participate in all phases of risk management assessments and software development with emphasis on analysis of user requirements, test design and test tools selection.
o Install, maintain, or use software testing programs.
o Support UAT activities.
EDUCATION & EXPERIENCE: Requires BS degree and 8 - 12 years of prior relevant experience
The following are expected from potential applicants:
• Degree in Computer Science, Information Systems, Engineering or related major.
• 5+ years of experience running vulnerability scanning tools, penetration tools and platforms, and creating risk assessments
• 3+ years of incorporating application security processes into SDLCs
• 2+ years of experience with penetration testing against web and mobile application layer platforms, above and beyond running automated tools.
• 1-2 years of experience with network/infrastructure penetration testing.
• Familiarity with application layer assessment tools, such as local proxies and fuzzers.
• Familiarity with threat modeling and security design review methodologies.
• A good understanding of Unix, Windows and network security skills.
• Ability to train staff and build training modules and platforms
• Ability to work both independently and perform as a leader in a team environment.
• Excellent communication skills in English (both written and oral); able to concisely communicate security risks to both technical and business audiences.
• CISSP and CEH certified
• GIAC Penetration Tester (GPEN) or Offensive Security Certified Professional (OSCP)
The following skills are not required from applicants but would be considered a plus:
• Experience working as part of an enterprise development team.
• Experience developing custom scripts or tools used for vulnerability scanning and identification.
• Experience with client/server thick client penetration testing.
• A good understanding of cryptography fundamentals.
• Produced public facing research and/or delivered presentations at well-known industry security conferences.
• Designing test strategies, test plans, and test cases from requirements, design documents and specifications.
• Executing and reporting security tests.
• Identifying regression test candidates for automation, planning automation activities across the team and automating test cases.
• Estimating test case writing and execution effort and keeping track of own and team progress.
• Test case authoring and holding test case reviews with stakeholders.
• Execution of test cases including functional, regression, performance, load and smoke tests for both web applications and database.
• Recording test results and reporting them.
• Participate in all phases of risk management assessments and software development with emphasis on analysis of user requirements, test design and test tools selection.
• Install, maintain, or use software testing programs.
• Supporting our metrics program by keeping track and gather metrics on all activities.
• Support UAT activities.