Senior AppSec Engineer - Burp Suite, Linux, & Custom Extensions

Phia LLC• Fairfax, VA, US, VA

2h•Remote

About The Position

phia is hiring a Senior Application Security Engineer to join a small, highly technical AppSec team supporting a federal civilian client. This is a fully remote role within the United States. You will work directly alongside the government technical lead and our existing senior AppSec engineer as the third member of a tight-knit two-to-three person team operating inside a broader 19-person cybersecurity program. This is a hands-on engineering seat, not a paper-pusher role. The client is a deeply technical Linux/Unix practitioner with strong DevSecOps and AppSec instincts who runs lean by design. We are looking for an engineer who can hold a peer-level technical conversation with him on day one, push back when warranted, and drive technical discussions with development and platform teams outside of security. If you live in a terminal, build your own tooling, and treat Burp Suite as an extensible platform rather than a point-and-click scanner, you will be at home here.

Requirements

6+ years of hands-on application security engineering experience.
Demonstrable, current expertise with Burp Suite Enterprise (DAST operations, scan authentication, troubleshooting) and Burp Suite Professional (manual testing, repeater, intruder, session handling).
Strong Linux/Unix administration skills from the command line. Comfortable answering basic questions like “what command checks disk space” or “how do I check whether a service is running” without hesitation, and equally comfortable with more advanced diagnostics.
Proficiency writing custom Burp extensions and security automation scripts in Python (and ideally Java for the Montoya API).
Working experience with Kubernetes, Docker, and YAML-driven infrastructure.
Experience with AWS CloudFormation (or equivalent IaC) and Ansible.
Experience integrating security scanning into CI/CD pipelines using GitHub Actions, including reusable workflows and Dependabot.
Demonstrated experience designing authenticated DAST scans against applications protected by SSO, MFA, OTP, or PIV/smart card authentication.
Clear understanding of modern authentication and authorization protocols, including OAuth 2.0 flows (authorization-code, client-credentials, refresh tokens), SAML, and OpenID Connect.
U.S. Citizenship and ability to obtain and maintain the required federal Public Trust clearance.

Nice To Haves

OpenShift administration experience, particularly migration of workloads from EKS or self-managed Kubernetes.
Experience operationalizing Contrast IAST or another interactive application security testing platform.
Experience supporting or validating findings from a managed bug bounty program (HackerOne, Bugcrowd, etc.).
Active participation in AppSec or DevSecOps research, OWASP chapters, CTFs, or public security publications.
Relevant certifications such as OSCP, OSWE, GWAPT, Burp Suite Certified Practitioner, CKA/CKS, AWS Security Specialty, or CISSP.

Responsibilities

Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss. You read scan logs and traces, not just dashboards.
Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
Make Burp Enterprise work against authenticated APIs and applications that were designed for human authorization-code flows by adapting them to OAuth 2.0 client-credentials and other machine-to-machine patterns suitable for automated scanning.
Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
Partner with the application and identity teams to provision dedicated lower-environment test accounts and authentication paths that allow continuous, hands-off DAST coverage.
Clearly articulate and apply the distinctions between OAuth 2.0 authorization-code flow, client-credentials flow, SAML, and OpenID Connect when designing scan authentication strategies.
Administer the AppSec team’s own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise OpenShift.
Convert legacy Python and shell tooling left behind by previous engineers into Ansible roles and playbooks; manage YAML, Dockerfiles, and Kubernetes manifests as code.
Use CloudFormation for AWS infrastructure as code; comfortably operate at the Kubernetes and Linux CLI for routine tasks (disk usage with df, service status with systemctl, container lifecycle, log retrieval, and basic networking diagnostics).
Integrate AppSec tooling into GitHub Actions workflows alongside Dependabot SCA, including the appropriate use of workflow_dispatch versus workflow_call patterns and reusable workflows.
Work with development teams to embed scan gates and remediation feedback loops into existing CI/CD pipelines (GitHub Actions primary; Jenkins as encountered).
Provide secondary support to the broader AppSec toolset: Veracode SAST, Contrast IAST for interactive scanning and runtime security testing, GitHub Advanced Security workflows, and the HackerOne bug bounty program (validating reported findings with Burp Suite Professional).