Lead Application Security Engineer

Phia LLC• Fairfax, VA, US, VA

1d•Remote

About The Position

phia is hiring a Lead Application Security Engineer to drive the dynamic application security testing (DAST) program for a federal civilian client. This role involves managing a complex enterprise environment with significant attack surface and active cyber threats, where application security is a critical mission. The engineer will join a small, highly technical AppSec team responsible for the entire technology stack, including self-managed Linux servers in AWS, Burp Suite Enterprise for DAST, Burp Suite Professional for manual validation, custom extensions, GitHub Actions CI/CD pipelines, and an ongoing migration to OpenShift with Ansible. This is not a ticket-mill position; it offers direct involvement in the work with minimal approval layers. The federal technical lead seeks a peer capable of driving technical conversations and contributing hands-on.

Requirements

8+ years in engineering/security with deep, recent, hands-on experience operating Burp Suite Enterprise and Burp Suite Professional, including configuring authenticated scans.
Demonstrated experience writing or significantly modifying custom Burp extensions (Python/Jython, Java, or Montoya API).
Strong Linux/Unix command-line fluency, with the ability to diagnose services, disk, memory, and network issues from the shell.
Proficiency in Python and Bash scripting.
Ansible exposure.
Experience with Docker/Kubernetes (OpenShift is a plus) and AWS.
Experience integrating security tooling into GitHub Actions or comparable CI/CD pipelines.
Proven technical leadership skills, with experience driving programs or technical decisions across teams.
An active interest in AppSec and DevSecOps research, including testing new techniques and following industry developments.
U.S. citizenship.
Ability to complete federal Public Trust vetting.

Nice To Haves

Published Burp extensions (BAppStore or GitHub).
Conference talks, blog posts, or contributions to open-source security tooling.
Experience scripting around OTP/TOTP, PIV, or certificate-based authentication for automated scanning.
Veracode SAST, Contrast IAST, or bug bounty validation experience (HackerOne or similar).
Prior federal or regulated-environment AppSec work, including familiarity with NIST 800-53 / FISMA.

Responsibilities

Architect, operate, and continuously improve the Burp Suite Enterprise DAST program, including scheduled authenticated scans, recorded login sequences, session handling, scan tuning, and failure diagnosis.
Develop and maintain custom Burp extensions using Python/Jython or Java/Montoya API to address authentication, validation, and workflow challenges.
Perform authenticated scanning against complex targets involving MFA, one-time passwords, OAuth 2.0, SSO federation, and PIV/smart-card certificates.
Conduct manual validation using Burp Suite Professional to verify remediations, eliminate false positives with evidence, and present findings to a technical audience.
Provide technical leadership, driving discussions and building consensus with DevOps, platform, and identity stakeholders outside the security team.
Administer the team’s Linux servers in AWS (EC2, CloudFormation), support the migration to OpenShift, and convert legacy Python/shell tooling to Ansible roles and playbooks.
Integrate security into CI/CD pipelines, including GitHub Actions workflows, Dependabot, and reusable security gates across repositories.