Application Security Tooling Engineer - Remote

iWorks Corporation

4d•Remote

About The Position

iWorks is seeking an Application Security Tooling Engineer to design, operate, and continuously improve our federal client's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). This role focuses on the administration and integration of Sonatype, Fortify, StackRox, and Burp Suite tools to ensure scalable, auditable, mission-ready security controls in regulated environments. The candidate will also provide leadership, policy guidance, and hands-on support for AppSec operations.

Requirements

Active Secret clearance (Interim Secret acceptable).
5+ years in application security engineering and/or DevSecOps in regulated environments.
Hands-on experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite (Professional/Enterprise preferred).
Strong CI/CD integration and automation skills.
Working knowledge of:
Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security.
Linux administration, networking fundamentals, TLS/cert management, SSO/LDAP.
Common languages/build systems (Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip).
Oracle Cloud Infrastructure.
DoD 8570 IAT II certification (e.g., Security+).

Nice To Haves

DoD/IC experience with RMF, STIGs, and vulnerability management processes.
Familiarity with registries and orchestration: Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm.
Experience integrating with SIEM/SOAR and ticketing platforms (Splunk, ServiceNow, Jira).
Additional certifications: CISSP, CSSLP, GIAC, Kubernetes security certifications.

Responsibilities

Deploy, configure, harden, maintain, and upgrade Sonatype, Fortify, StackRox, and Burp Suite in on-prem or cloud environments (Oracle Cloud preferred).
Manage licensing, capacity, backup/restore, high availability, and disaster recovery for AppSec tools.
Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
Integrate tools into CI/CD pipelines (Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
Standardize developer "secure-by-default" workflows, including pull request checks, nightly scans, and release readiness criteria.
Define and tune scanning policies, reduce false positives/negatives, and maintain auditable vulnerability management workflows.
Provide actionable findings and remediation guidance to engineering teams, including targeted Burp validation for high-risk applications/APIs.
Implement container/Kubernetes security using StackRox, including image scanning, runtime detections, admission controls, and least-privilege enforcement.
Produce metrics and dashboards for vulnerability trends, remediation time, and policy compliance.
Support RMF/ATO evidence collection and compliance audits.
Mentor and manage at least one other AppSec professional.

Benefits

Medical
Dental
Vision
Life and Disability
401(k)
Health and Wellness Benefits
Paid Sick Time
Vacation Time
Holiday Time
bonuses throughout the year as part of our incentive program for innovation and business development
annual raise, commensurate with performance and company commitment