Application Security Engineer (Veracode) — Federal DevSecOps

About The Position

Requirements

• Hands-on, operational experience running SAST and DAST programs — not just familiarity. You’ve scheduled scans, managed result pipelines, and worked with development teams on remediation.
• Configure and run Veracode scans end-to-end and use Burp Suite (proxy, repeater, scanner) to conduct manual application testing. You know the difference between what each tool catches.
• Work in Linux CLI daily — navigating directories, checking service status, running network diagnostics, and troubleshooting without needing a GUI.
• Understand CI/CD concepts and have worked security tooling into a pipeline. You know what a GitHub Actions workflow looks like and can contribute to one.
• Write Python, bash, or similar scripts to automate repetitive security tasks. You can build and maintain tooling that makes your workflow faster.
• Worked in or alongside a federal environment and understand what FISMA, NIST 800-53, and FedRAMP mean in practice.
• Participate actively in daily stand-ups, flag issues early, and can explain a technical finding clearly to a non-technical federal stakeholder.
• High school diploma or GED required
• 6+ years of IT experience
• 3+ years specifically in SAST/DAST application security testing
• 2+ years of coding in Python, Java, .NET, or C#
• 3+ years designing and implementing enterprise-wide security controls
• Public Trust / Suitability clearance
• U.S. Citizenship required

Nice To Haves

• Experience with Contrast (IAST) — deployment or workflow administration across a large application portfolio
• HackerOne or bug bounty program participation; published CVEs or CWEs a plus
• Selenium experience; experience scripting authentication flows for SSO or EntraID environments
• Familiarity with OWASP ZAP or Burp Proxy as complementary tooling
• Certifications in application security: CSSLP, OSCP, GWAPT, or equivalent
• Bachelor’s degree in Computer Science, Information Technology, Information Security, or related field preferred (experience may substitute for degree)

Responsibilities

• Plan, schedule, and administer SAST and DAST scans using Veracode across a portfolio of federal web applications; manage scan frequency, result downloads, and client reporting.
• Conduct hands-on application security assessments using Burp Suite Enterprise — including proxy capture, authentication testing, repeater analysis, and manual verification of findings.
• Triage scan results to distinguish true positives from false positives; coordinate with development teams to verify that remediations are correctly implemented before closing findings.
• Integrate and maintain security tooling within CI/CD pipelines using GitHub Actions; work with Dependabot and reusable workflow patterns as the team migrates from GitLab to GitHub.
• Support complex authentication testing scenarios including PIV card, EntraID, and SSO configurations that are a known operational challenge on this contract.
• Operate Contrast for IAST coverage across 150+ applications; maintain tool availability and manage workflow queues.
• Communicate findings, status, and remediation guidance to development teams and federal clients during daily stand-ups and technical sessions.
• Maintain working knowledge of evolving threats and federal compliance requirements including NIST 800-53, FISMA, and FedRAMP to support a security-conscious operating environment.

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Life Insurance
• Short Term & Long-Term Disability
• 401k Retirement Savings Plan with Company Match
• Paid Holidays
• Paid Time Off (PTO)
• Tuition and Professional Development Assistance