Save Job
Posted 5mo ago

Application Security Tooling Engineer (CA, Monterey)

@ Advanced Onion
Monterey, California, United States
$150k-$160k/yrOnsiteFull Time
Responsibilities:Deploying tooling, Integrating pipelines, Tuning policies
Requirements Summary:Active Secret clearance; 5+ years in app security/DevSecOps; DoD 8570 IAT II; hands-on with Sonatype, Fortify, StackRox, Burp Suite; CI/CD integration; Oracle Cloud; team mentoring.
Technical Tools Mentioned:Sonatype Nexus IQ/Lifecycle, Fortify, StackRox, Burp Suite, Jenkins, GitLab CI, Oracle Cloud Infrastructure
Save
Mark Applied
Hide Job
Report & Hide
Job Description

We are hiring an Application Security Tooling Engineer to own and evolve a defense agency?s application security scanning ecosystem across the SDLC. This role operates and integrates Sonatype, Fortify, StackRox (Red Hat ACS), and Burp Suite, enabling secure, auditable software delivery in regulated environments.



You?ll be hands-on with tooling, embedded in Agile teams using Jira, and trusted to provide tooling recommendations to senior leadership while managing at least one AppSec team member.



?



Key Responsibilities



AppSec Platform Ownership



Deploy, configure, harden, and operate Sonatype, Fortify, StackRox, and Burp Suite



Support on-prem and accredited cloud environments (Oracle Cloud strongly preferred)



Manage upgrades, plugins, licensing, HA/DR, backups, monitoring, and runbooks



Establish SLAs/SLOs and operational metrics



DevSecOps & CI/CD Integration



Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI)



Implement policy-based gates, risk-based exceptions, and secure-by-default workflows



Build reusable templates and reference implementations for development teams



Vulnerability Management & Governance



Define and tune scanning policies, thresholds, and quality gates



Reduce false positives through tuning and developer feedback loops



Maintain an auditable vulnerability lifecycle (triage, SLAs, waivers, verification)



Container & Kubernetes Security



Implement image scanning, runtime detection, admission controls, and policy enforcement



Integrate with registries and orchestration platforms



Coordinate incident-ready detections and response playbooks with SOC/IR teams



Reporting, Compliance & Leadership



Produce dashboards and metrics (trends, MTTR, pipeline pass rates)



Support RMF / ATO evidence and audit requests



Manage and mentor at least one AppSec professional



Provide tooling assessments and recommendations to executive leadership



?



Required Qualifications



Active Secret clearance



5+ years in application security engineering and/or DevSecOps (regulated environments)



DoD 8570 IAT II (e.i. Security+)



Hands-on experience with:



Sonatype (Nexus IQ/Lifecycle)



Fortify (SCA/SSC)



StackRox / Red Hat ACS



Burp Suite (Pro or Enterprise)



Strong CI/CD automation and policy gating experience



Working knowledge of:



Secure SDLC, OWASP Top 10, SBOMs, dependency risk



Container/Kubernetes security



Linux, networking, TLS/certs, SSO/LDAP



Java, .NET, Node.js, Python build ecosystems



Oracle Cloud Infrastructure



?



Preferred Qualifications



DoD/IC experience (RMF, STIGs, vulnerability management)



Registry/orchestration tools (Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm)



SIEM/SOAR and ticketing integrations (Splunk, ServiceNow, Jira)



Certifications: CISSP, CSSLP, GIAC, Kubernetes security certs



?



Compensation 150,000 - 1604,000



?