Application Security Engineer
Work Location: Washington, DC
(Independence Ave / Smithsonian Station area)
Work must be performed at the client facility in Washington, DC. Work 40 hours per week, be present during the Agency Business hours (must be on site, not working remotely), and must be staffed by a US Citizen only due to access/clearance levels. Period of Performance is starting with a base year (ASAP - 12/14/2013) with 4 option years, expected to be very long term role.
The key responsibilities of this position are to carry out the agency’s security engineering program. This includes vulnerability detection and verification in applications and databases via dynamic and static testing, building an AppStore of application security components and creating demonstrable examples.
Education and Experience:
Required Skills and Competencies:
- B.S. in the Information Security, Computer Science, or related field.
- proficient in identifying and verifying security vulnerabilities in Web applications , SOA/Web Services, databases, application source code and configuration files.
- hands-on .NET security programming experience.
- proficient in application and database level vulnerability scanning, penetration testing, and building test images in a VM environment with extensive hands on experience with Linux, KVM, VMware, and Window.
- 5+ years experience in application and database level vulnerability scanning and penetration testing, building test images using Linux, KVM, VMware, and Window.
- 5+ years of experience in performing secure code review for .Net and Java based applications.
- Able to demonstrate to developers how to use the application security components to mitigate security vulnerabilities in applications, services, and databases.
- Able to build and manage a component repository using open source software such as Subversion
a. knowledge and extensive hands-on experience in dynamic analysis techniques, tools, and best practice.
knowledge of the process, techniques, and technology used in vulnerability scan and penetration testing against applications, services, and databases. hands-on experience with commercial vulnerability scanning tools for applications, services, and databases, such as Web Inspect, Burp Proxy, App Detective, AppScan Enterprise . hands-on experiences with popular free and/or Open Source application level security scanners, penetration testing and proxy tools. Hands on experiences in performing manual penetration testing against Web applications, Web Services, LDAP, database, and mobile applications. Solid understanding of top application, service, and database level vulnerabilities. Solid understanding of top vulnerabilities for mobile applications and systems.
b. knowledge and extensive hands-on experience in static analysis techniques, tools, and best practice.
proficient in identifying application security components and creating demonstrable examples of how to use these components to mitigate vulnerabilities in applications, services, and databases. Solid understanding of top application, service, and database level vulnerabilities. Solid understanding of common structure and security weakness in typical Web applications, mobile applications and systems, SOA/Web Services, and Cloud based services. Proficient with Java.
c. proficient in identifying application security components and creating demonstrable examples of how to use these components to mitigate vulnerabilities in applications, services, and databases for .Net .
d. Proficient with security architectural principles .
e. Knowledge of Red Hat Linux, Ubuntu KVM, Windows, and VMware server and workstation, and can create and maintain virtual machine images for vulnerability scanning and penetration testing.
f. Proficient in building and managing a component repository using open source software such as Subversion or CVS.
g. Ability to communicate effectively with all levels of management and staff both orally and in writing, sufficient to develop and deliver briefings, project papers, status reports, and correspondence to report security vulnerabilities and its impact, show the benefits of vulnerability testing and code review, foster understanding, and promote the acceptance of the agency security engineering program.
h. Skill in communicating orally and in writing with co-workers, technical and administrative personnel, and managers who are not security professionals. Further, the position must have the ability to translate security technical concepts into terms that can be understood by employees who are not security professionals.
i. Highly ethical, analytical, team-oriented, flexible, inquisitive, and logical.
j. Strong sense of urgency with ability to multi-task, take initiative and follow-through.
k. Ability to be organized and methodical, and work well under pressure.
l. Proficiency with the Microsoft Office suite of products, (i.e., Word, Excel, PowerPoint).
a. Proficient in identifying application security components and creating demonstrable examples of how to use these components to mitigate vulnerabilities in applications, services, and databases for Java.
b. Proficient in MS-SQL administration.
c. Proficiency with federal government security and privacy guidelines and mandates, such as NIST 800-53 . The candidate has prior experience to translate government mandates and regulations into system requirements and specifications.
d. Hands on experience in performing security risk assessment (SRA) in compliance with NIST 800-30 .
e. Proficient with secure design patterns.
f. Ability to use consensus building, negotiation, coalition building, and conflict resolution techniques sufficient to establish and maintain effective communication channels with multiple stakeholders and teams.
g. Good at providing security services to multiple teams, and be able to interact appropriately in highly charged emotional situations. Must be able to justify and defend matters involving significant or sensitive issues. Skill in effectively working with personnel and managers with divergent educational and cultural backgrounds.
Lisa Antonini Lee Intervise Consultants, Inc Sr Technical Recruiter MD # 240-599-9337 Fax # 919-570-2854 www.intervise.com Follow me on:
Monster - 17 months ago