Web Application Security Assessor

About The Position

Requirements

• Minimum of 8 years with BS/BA; Minimum of 6 years with MS/MA; Minimum of 3 years with PhD
• Clearance: Active TS/SCI clearance.
• Candidate must meet ONE of the following: Master’s degree or Ph.D. in Computer Science, Cybersecurity, Data Science, Information Systems, Information Technology, Software Engineering, or a related field; OR Relevant DoD/military training (documented advanced application security or offensive security coursework); OR Relevant professional certification or equivalent experience (examples: CISSP‑ISSEP; ISC2 CSSLP; GIAC GWAPT).
• Web application security, penetration testing, or secure development experience with at least 3 years performing advanced web assessments.
• Expert knowledge of web vulnerabilities (OWASP Top 10), manual testing techniques, authenticated testing, and exploit validation.
• Hands‑on experience with web testing tools (Burp Suite, ZAP), code review for security, and methods for secure remediation and mitigation.
• Ability to produce reproducible test evidence, technical remediation guidance, and executive‑level risk summaries.
• Experience coordinating assessments in production/staging environments and validating fixes under change control.

Nice To Haves

• Prior DoD/ARNG web security assessment or application security program experience.
• Experience integrating findings into detection engineering, WAF tuning, CI/CD security gates, and developer training programs.

Responsibilities

• Lead defensive web application assessments: plan and execute comprehensive evaluations of enterprise web services from discovery through remediation validation.
• Perform advanced manual testing to validate complex findings (SQL injection, XSS, authentication/authorization flaws, access control issues) beyond automated scans.
• Triage scan outputs, rule out false positives, and prioritize findings by exploitability, impact, and mission risk.
• Provide authoritative remediation guidance: explain root causes, recommend mitigations, and advise secure coding/configuration practices to development and operations teams.
• Coordinate assessment lifecycles with system owners, developers, QA, and cybersecurity stakeholders; validate fixes and retest to confirm closure.
• Analyze enterprise vulnerability trends to identify systemic weaknesses and recommend defensive improvements.
• Produce detailed technical reports, evidence bundles, and executive summaries to support risk management, compliance, and continuous improvement.
• Contribute detection/use‑case inputs to detection engineering and SOC teams to improve monitoring of web threats.