Cybersecurity Engineer

Adeptus Solutions, Inc. is seeking a skilled Cybersecurity Engineer to join our growing cybersecurity operations team. Responsible for developing and assessing secure application standards and implementation guidance, you will support federal agency compliance requirements.

Responsibilities

• Support the execution of the Software Development Life Cycle (SDLC) and risk management functions
• Identify and assess code vulnerabilities
• Develop and maintain application and coding documentation
• Provide technical and security control guidance
• Recommend and support remediation solutions
• Collaborate closely with development project teams to propose solutions for complex cybersecurity compliance challenges
• Maintain communication with federal client stakeholders and information security team members
• SQL injection
• Cross-site scripting (XSS)
• Fuzz testing
• Buffer overflow attacks (automated and manual)
• Review source code for potential attack targets
• Analyze vulnerabilities
• Work with the team to recommend and implement remediation strategies
• Ensure a Disaster Recovery Plan is associated with this work, designing, developing, and implementing secure software and configurations through applying applicable DoD Security Technical Implementation Guides (STIGs), checklists, vendor security guidance, industry best practices, and applicable vendor product security patches as provided in the DISA Information Assurance Support Environment (IASE) website.
• Support federal and non-federal information systems as Cybersecurity Engineer, to include application security testing and secure web architecture design and input.
• Effectively and efficiently develop automated test scripts of user stories on several products.
• Support and lead testing of web applications and APIs for susceptibility to SQL injections, Cross-Site Scripting and other attacks.
• Perform SAST for assigned systems and deliver generated reports to relevant project stakeholders.
• Collaborate with application developers to review and respond to false positive submissions in response to application security findings.
• Consult developer teams on various mitigation and remediation solutions/methods.
• Perform manual and automated DAST for assigned systems and deliver findings report to relevant project stakeholders.
• Support development of security and risk reports and related documentation.
• Develop and maintain application security and compliance documentation (e.g., Application Configuration Guide, Secure Coding Guide, Application Security Policies and Procedures etc.).
• Provide subject matter expert (SME) input during cybersecurity incidents and subsequent resolution (e.g., incident triage, remediation, root cause analysis, etc.).
• Ensure all security-related SDLC documentation meet all identified security needs.
• Perform and document results of threat modeling exercises to identify potential attack vectors in application architecture using proven methodologies (e.g., STRIDE, PASTA, CVSS, etc.).
• Assist System Owner, Information Owner, ISSO, and ISSM in recording all known security weaknesses of assigned applications in POA&Ms IAW US Army policy and procedures.
• Identify changes to applications that may impact security controls, perform security impact assessment of proposed changes, report any change in risk posture, and provide recommendations for risk mitigation.
• Complete mandatory annual specialized information security training.
• Attend meetings on behalf of the customer and provide security related input regarding the applications.
• Ensure a Disaster Recovery Plan (DRP) is associated with assigned work
• Design, develop, and implement secure software and configurations by applying DoD Security Technical Implementation Guides (STIGs), checklists, vendor security guidance, industry best practices, and applicable vendor product security patches from the DISA IASE website
• Support federal and non-federal information systems as a Cybersecurity Engineer, including application security testing and secure web architecture design
• Develop automated test scripts for user stories across multiple products
• Lead and support testing of web applications and APIs for vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other attacks
• Perform Static Application Security Testing (SAST) and deliver reports to relevant project stakeholders
• Collaborate with application developers to review and address false positives in security findings
• Provide guidance to developer teams on mitigation and remediation strategies
• Perform manual and automated Dynamic Application Security Testing (DAST) and deliver findings reports to stakeholders
• Support the development of security and risk reports and related documentation
• Develop and maintain application security and compliance documentation (e.g., Application Configuration Guide, Secure Coding Guide, Application Security Policies and Procedures)
• Provide subject matter expert (SME) input during cybersecurity incidents, including triage, remediation, and root cause analysis
• Ensure all SDLC security documentation meets identified security requirements
• Perform and document threat modeling exercises to identify potential attack vectors using methodologies such as STRIDE, PASTA, and CVSS
• Assist System Owner, Information Owner, ISSO, and ISSM in recording all known security weaknesses in POA&Ms per US Army policy
• Identify changes to applications that may impact security controls, perform security impact assessments, report changes in risk posture, and provide mitigation recommendations
• Complete mandatory annual specialized information security training
• Attend meetings on behalf of the customer and provide security-related input regarding application.

Skills and Qualifications:

• 3+ years’ related work experience performing vulnerability management, web application penetration testing, and/or application security consulting is required to be considered for this position.
• Security+ certification is required. Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), CompTIA Advanced Security Practitioner (CASP+), Offensive Security Certified Practitioner (OSCP), and/ or AWS Cloud Administrator certification is preferred.
• Static and Dynamic Application Security Testing (SAST/DAST) experience is required.
• Experience performing and auditing MicroFocus Fortify static code analysis scans is preferred.
• Strong security system analysis skills and understanding of Cyber and IT security risks, threats, prevention measures and security best practices.
• Excellent knowledge of web related technologies (Web applications, Web Services, Service Oriented Architectures) and network/web-related protocols.
• Experience with cloud security approaches and cloud architectures. Preferred experience with Azure and AWS.
• Experience with Federal Governance, Risk Management, and Compliance or ATO related tools and content, such as Vulnerability scanning and penetration tools, SCAP/STIG, Microfocus Fortify, SonarQube, Checkmarx, Qualys, BurpSuite, Nessus/Tenable, SonarQube, etc. is preferred.
• Strong understanding of federal information security related processes, frameworks, standards, and regulations.
• In-depth understanding of networking and network security; cloud security, network monitoring solutions/approaches. Experience in proposing and providing guidance in compliant technologies, architectures, and solutions.
• Experience with Federal Governance, Risk Management, and Compliance tools and content is preferred such as eMASS, STIG, Nessus/Tenable, etc.
• Experience supporting customers in either Federal Government and/or other industry specific Cybersecurity Compliance and Regulatory standards/frameworks (e.g., OWASP Top 10, NIST 800-53, etc.).
• Experience in writing and designing application security policies, procedures, standards, guides, plans, etc.
• Must be able to multi-task and support a cross-matrixed team efficiently by working through many client projects and support internal team functions.
• Must have ability to solve complex information security related challenges and propose strategic/pragmatic approaches to the team and clients.

Responsibilities:

• Minimum 3+ years of related experience in vulnerability management, web application penetration testing, and/or application security consulting
• Security+ certification required
• Static and Dynamic Application Security Testing (SAST/DAST) experience required
• Strong skills in security system analysis and understanding of cyber and IT security risks, threats, prevention measures, and best practices
• Excellent knowledge of web technologies (web applications, web services, SOA) and network/web protocols
• Ability to multi-task and support cross-matrixed teams efficiently across multiple client projects

Preferred Qualifications:

• Certifications such as CSSLP, CISSP, CASP+, OSCP, or AWS Cloud Administrator
• Experience performing and auditing MicroFocus Fortify static code analysis scans
• Knowledge of cloud security approaches and architectures; experience with Azure and AWS preferred
• Familiarity with Federal Governance, Risk Management, and Compliance (GRC) or ATO-related tools and content, such as:
• Vulnerability scanning and penetration tools
• SCAP/STIG, MicroFocus Fortify, SonarQube, Checkmarx, Qualys, BurpSuite, Nessus/Tenable
• Strong understanding of federal information security processes, frameworks, standards, and regulations
• In-depth understanding of networking, network security, cloud security, and network monitoring solutions
• Experience supporting customers in Federal Government or industry-specific cybersecurity compliance frameworks (e.g., OWASP Top 10, NIST 800-53)
• Experience in writing and designing application security policies, procedures, standards, guides, and plans
• Ability to solve complex information security challenges and propose strategic, practical solutions to clients and teams

Education:

 Bachelors Degree

Experience: