We are hiring an Application Security Tooling Engineer to own and evolve a defense agency?s application security scanning ecosystem across the SDLC. This role operates and integrates Sonatype, Fortify, StackRox (Red Hat ACS), and Burp Suite, enabling secure, auditable software delivery in regulated environments.
You?ll be hands-on with tooling, embedded in Agile teams using Jira, and trusted to provide tooling recommendations to senior leadership while managing at least one AppSec team member.
?
Key Responsibilities
AppSec Platform Ownership
Deploy, configure, harden, and operate Sonatype, Fortify, StackRox, and Burp Suite
Support on-prem and accredited cloud environments (Oracle Cloud strongly preferred)
Manage upgrades, plugins, licensing, HA/DR, backups, monitoring, and runbooks
Establish SLAs/SLOs and operational metrics
DevSecOps & CI/CD Integration
Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI)
Implement policy-based gates, risk-based exceptions, and secure-by-default workflows
Build reusable templates and reference implementations for development teams
Vulnerability Management & Governance
Define and tune scanning policies, thresholds, and quality gates
Reduce false positives through tuning and developer feedback loops
Maintain an auditable vulnerability lifecycle (triage, SLAs, waivers, verification)
Container & Kubernetes Security
Implement image scanning, runtime detection, admission controls, and policy enforcement
Integrate with registries and orchestration platforms
Coordinate incident-ready detections and response playbooks with SOC/IR teams
Reporting, Compliance & Leadership
Produce dashboards and metrics (trends, MTTR, pipeline pass rates)
Support RMF / ATO evidence and audit requests
Manage and mentor at least one AppSec professional
Provide tooling assessments and recommendations to executive leadership
?
Required Qualifications
Active Secret clearance
5+ years in application security engineering and/or DevSecOps (regulated environments)
DoD 8570 IAT II (e.i. Security+)
Hands-on experience with:
Sonatype (Nexus IQ/Lifecycle)
Fortify (SCA/SSC)
StackRox / Red Hat ACS
Burp Suite (Pro or Enterprise)
Strong CI/CD automation and policy gating experience
Working knowledge of:
Secure SDLC, OWASP Top 10, SBOMs, dependency risk
Container/Kubernetes security
Linux, networking, TLS/certs, SSO/LDAP
Java, .NET, Node.js, Python build ecosystems
Oracle Cloud Infrastructure
?
Preferred Qualifications
DoD/IC experience (RMF, STIGs, vulnerability management)
Registry/orchestration tools (Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm)
SIEM/SOAR and ticketing integrations (Splunk, ServiceNow, Jira)
Certifications: CISSP, CSSLP, GIAC, Kubernetes security certs
?
Compensation 150,000 - 1604,000
?