Application Security Engineer

Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information. Must be clearable to the Top Secret level.
Ongoing responsibility will be to serve as the 'Remediation SME.' In this capacity, the candidate will be required to review technical scans conducted on Symantec systems in order to identify and create POA&Ms for the information systems. Will serve as a key contributor to all compliance and risk mitigation efforts, to include POA&M management, waiver and acceptance support, and continuous monitoring efforts.
Initial project will consist of reviewing test/scan results for existing Symantec systems to determine what it would take to bring the system into compliance. Will require interfacing with the Chief Financial Office to provide cost/benefit analysis for bringing a system into compliance or to retire the system or application.
Additional duties include:- Assist in developing unified guidelines and procedures for conducting certifications and/or system-level evaluations of information systems and networks
- Advise on new standards and make recommendations on new IT Security technologies to improve efficiencies.
- Prepare the Security Test & Evaluation (ST&E) Plan if required;
- Conduct the ST&E Execution via document examination, interviews and manual assessments as required;
- Analyze automated scan results as required
- Populate Requirements Traceability Matrix (RTM) with ST&E results as required;
- Perform Risk Analysis;
- Create a Security Accreditation Report (SAR) as required;
- Create a Plan of Action and Milestones (POA&M) as required;
- Conduct ST&E Findings Meeting with the System Owner, ISSO and other system personnel as required.
- Communicate with ISSO on continuous monitoring activities related to Plan of Action and Milestone closures, waivers and exceptions;
- Coordinate courtesy scans with ISSOs and Security Engineers as requested by assigned systems;
- Track security activities of assigned systems and brief senior leadership on activities.
Requirements:- Demonstrated experience with performing and coordinating vulnerability assessments as well as tracking and implementing remediation plans.
- Application Security and vulnerability assessment skill set.
- Excellent written and verbal communication skills with the ability to translate and explain technical security issues into business language and business risk statements.
- Expert knowledge of the risk exception/acceptance process to provide guidance in cases where remediation cannot be performed.
- Minimum of 3 years demonstrated experience conducting vulnerability and analysis of operating platforms (i.e. UNIX, Solaris, and Microsoft). Minimum 3 years experience performing compliance testing and analysis of web facing applications and database schema. Minimum 3 years related security experience.
- Certification:
Certification and Accreditation Professional (CAP), CISSP, CISM or CISA certification is preferred - Proficiency in MS Word due to their responsibility in writing several security artifacts to include documents such as Security Testing & Evaluation Plans.
- Must be proficient in developing and presenting, both verbally and in writing, highly technical information and presentations to non-technical audiences at all levels of the organization.
- Working knowledge of the NIST 800 publications governing the FISMA Act.
- Working knowledge of the NIST 800 series publications to include but not limited to:
800-30, 800-37, 800-53 and 800-53a.
- Experience operating vulnerability scanning tools (i.e. NESSUS, AppDetective, WebInspect and ISS) and others as required.
- Experience performing analysis of data from the scanning tools.
- Understanding of application programming languages, application servers, web services, browser technology, common vulnerabilities, security best practices, and automated assessment tools and manual testing techniques specific to web applications.
- Working knowledge of JavaScript, AJAX, PHP, Perl, SOAP-based web Services and ability to perform code review in Java, C# and/or .Net.
- Experience with at least JAVA, Microsoft .NET, and C++. Experience with Python, Perl, Ruby, UNIX Shell Scripting.