Job Description :
Duties and Responsibilities
Conduct Static and Dynamic Application code and security vulnerability testing.
Conduct Penetration testing on Enterprise applications and recommend remediation using available tools and technologies.
Educate and support application developers and administrators in fixing security vulnerability issues in all tiers of applications including network, database and web/application servers.
Incident Response and Forensics evaluation using security information and event management (SIEM) tools
Work with Systems and Network Administrators to evaluate and enforce security controls and hardening rules as determined by industry standards for state and federal security compliance requirements.
Integrate applications with SIEM tools and log aggregation / analysis tools such as Splunk.
Ensure that the client system security requirements are addressed during all phases of the system development life cycle.
Conduct daily/weekly security audit log reviews and report any suspicious activities.
Conduct security impact analysis of controls on proposed system changes.
Conduct ongoing security reviews and tests of the client systems to periodically verify that security and operating controls are functional and effective.
Review and update systems security documentation and artifacts such as SSP, ISRA, PIA, SSR, CAP and POA&Ms.
Create and track POA&M requirements for resolving security findings.
Adhere to all security, change control and client Project Management Office (PMO) policies, processes and methodologies.
Note: The candidate must have the flexibility to work overtime, as needed, to include weekends, holidays, and off-hours.
Minimum qualifications
A minimum of eight (8) years of experience in analysis and definition of system security requirements.
A minimum of five (5) years of experience in performing static analysis of applications using different tools and technologies such as Fortify, AppScan, Veracode, SonarQube.
A minimum of five (5) years of experience in performing dynamic / customized security analysis of web applications using various tools and technologies to perform penetration testing and identify vulnerabilities/security issues and suggesting remedial measures.
A minimum of three (3) years of experience in defining computer security requirements for high-level applications and evaluating approved security product capabilities.
A minimum of two (2) years of experience working with Web Application Firewall (WAF), Content Delivery Network (CDN) tools such as Akamai, Incapsula, AWS WAF, Cloudflare.
Active CISM, CISSP, CISA, or other Security Certifications
Experience in performing Security Incident Response and Forensics evaluation with SIEM Tools.
Preferred Qualifications
A minimum of five (5) years of specialized experience in defining computer security requirements for high-level applications, evaluation of approved security product capabilities, and developing solutions to MLS problems.
Demonstrated understanding of information security concepts and regulatory compliance requirements.
A minimum of seven (7) years of experience with performing security assessment of infrastructure, applications, and static/dynamic code analysis for web applications in Java, JavaScript.
Experience with assessment and evaluation of information systems to recommend changes, mitigate threats, risks, and vulnerabilities. Conduct Incident Response testing to evaluate processes for detection, response, and reporting of security incidents.
Experience in developing DISA STIGS, IRS/CIS Benchmark style hardening checklists to establish system security baseline documentation.
Experience with administering and maintaining all security architecture technology solutions including SIEM, vulnerability management, anti-virus management, database monitoring and encryption, IDS/IPS, Data Loss Prevention, and Web Application Firewall.
A minimum of four (4) years of experience in managing computer systems and utilizing Tenable Security Center to manage security vulnerabilities and compliance configurations.
Experience as a Certified Ethical Hacker.
Experience with network implementation of Cisco Routers & Switches, CISCO ASA & Fortinet Firewall.
A minimum of five (5) years hands-on experience in implementing Minimum Acceptable Risk Standards for Exchange (MARS-E 2.0) based on NIST SP 800-53 rev4 Security and Privacy Controls.
A minimum of five (5) years hands-on experience in NIST SP 800-37 applying Risk Management Framework.
Experience working and developing with PMO processes, policies and procedures.