Application Security Engineer

Virginia Information Technologies Agency•Richmond, VA

20h•Hybrid

About The Position

The Virginia Department of Taxation is seeking an Application Security Engineer for the Office of Technology’s Application Security unit to help ensure the protection, confidentiality, integrity, and availability of Virginia Tax information technology resources. The Application Security Engineer’s purpose is to champion security throughout the Software Development Life Cycle and serve as a key connection point between application and engineering teams and the broader joint security operations teams. The role focuses on proactively documenting, identifying, assessing, and helping mitigate vulnerabilities before they can be exploited, ensuring applications and environments are built and maintained with strong security controls. Responsibilities include reviewing system architectures, developing and maintaining system security plans, guiding teams on secure development practices, and ensuring adherence to security policies and standards. As a security advocate and subject matter expert, the Application Security Engineer empowers application teams to design, deliver, and operate secure applications and environments. The position combines hands‑on technical expertise with the ability to influence engineering practices and promote a security‑first culture across the organization. The position is located at our Main Street Centre location in Richmond Virginia and has a hybrid schedule consisting of 3 days in the office (Tuesday, Wednesday, Thursday) and 2 days teleworking (Monday and Friday). Candidate must reside within 50 miles of the Richmond office to be eligible for this role. The anticipated hiring salary is commensurate with experience up to $100,000.

Requirements

Experience providing information security guidance and training.
Knowledge and experience with application development and security architecture.
Knowledge of secure coding standards and guidelines and ability to identify security flaws in source code.
Knowledge of vulnerability remediation and patch management for applications.
Experience with SAST, DAST, and IAST security testing tools (e.g., Accunetix, Veracode, Jenkins, Splunk, Rapid7, Tenable).
Knowledge and experience with Web Application Firewalls (WAFs) and AWS Security Groups implementation strategies for application protection.
Experience with and understanding of security information and event management (SIEM) systems (e.g., Splunk, Azure Sentinel, or IBM QRadar).
Knowledge and experience with AWS services (e.g., Security Hub, GuardDuty, Security Groups, Inspector, Config, CloudWatch, S3 Buckets, IAM, CloudTrail, EC2 (Elastic Compute Cloud), CodePiplines, KMS, and Secrets Manager).
Knowledge and understanding of relevant security regulations and standards (e.g., NIST 800-53, IRS Pub 1075, PCI-DSS, OWASP Top10, MITRE ATT&CK, CIS Benchmarks, NIST Cybersecurity Framework).
Comprehensive knowledge of a System Security Plan (SSP) and experience in creating and maintaining an SSP.

Nice To Haves

CompTIA Security+
Certified Cloud Security Professional (CCSP)
ISC2 CC (Certified in Cybersecurity)
CCSP (Certified Cloud Security Professional)
AWS Certified Security
AWS Solutions Architect (Associate/Professional)
AWS Security Specialty

Responsibilities

Champion security throughout the Software Development Life Cycle.
Serve as a key connection point between application and engineering teams and the broader joint security operations teams.
Proactively document, identify, assess, and help mitigate vulnerabilities before they can be exploited.
Ensure applications and environments are built and maintained with strong security controls.
Review system architectures.
Develop and maintain system security plans.
Guide teams on secure development practices.
Ensure adherence to security policies and standards.
Empower application teams to design, deliver, and operate secure applications and environments.
Promote a security-first culture across the organization.