Job Description
We are seeking a Security Software Engineer to build and harden software systems supporting DoD programs operating under CMMC/NIST 800-171/FedRAMP compliance requirements. You will embed security across the SDLC—from design and code review through CI/CD and cloud deployment—working alongside engineering, DevSecOps, and IT teams in a regulated, cloud-native environment (AWS Commercial and GovCloud, Azure GCC High).
Responsibilities
Core Engineering & Secure Development
- Design and develop secure software with a security-first mindset baked into every phase of the SDLC.
- Apply secure coding standards, threat modeling, and vulnerability mitigation aligned to NIST 800-53 and CMMC Level 2/3 controls.
- Conduct architecture reviews and code hardening to address OWASP Top 10 and DoD STIGs.
- Automate security gates in CI/CD pipelines (SAST, DAST, dependency scanning, secrets detection).
Security Architecture & Controls
- Design secure system and API architectures for multi-tenant cloud environments, including GCC High and FedRAMP-authorized platforms.
- Implement IAM controls, JIT provisioning, SSO/SAML/OIDC flows, and least-privilege authorization frameworks (e.g., Cognito, Azure AD).
- Instrument applications with security logging and monitoring that satisfies audit and continuous monitoring requirements (AU/SI control families).
Vulnerability Management & Response
- Lead code reviews, SAST/DAST scans, and targeted penetration testing; document findings against control frameworks.
- Triage and remediate vulnerabilities within POA&M timelines; maintain artifact evidence for compliance assessments.
- Support incident response for application-layer events; contribute to after-action reports and corrective action plans.
Cross-functional Collaboration
- Serve as the embedded security champion for engineering squads, raising the security bar through mentorship and code review culture.
- Develop and deliver security training and runbooks tailored to engineering and DevOps team members.
- Collaborate with DevOps/SRE to enforce secure IaC, WAF rules, network controls, and runtime monitoring across AWS and Azure environments.
Required Qualifications
- Bachelor’s degree in Computer Science, Engineering, or related field—or equivalent experience.
- 3+ years of software engineering experience with a strong focus on security.
- Proficiency in one or more programming languages (e.g., JavaScript/TypeScript, Python, Go, C#).
- Experience with secure coding practices and frameworks.
- Strong understanding of application security principles, including:
- OWASP Top 10
- Secure API/REST design
- Cryptography fundamentals
- Authentication/authorization patterns
- Experience with code scanning tools (SAST/DAST), threat modeling, and penetration testing.
- Familiarity with NIST 800-171, CMMC, or FedRAMP security control requirements and evidence collection.
- Hands-on experience with AWS and/or Azure security services (IAM, WAF, Security Hub, Defender, Sentinel); GCC High or GovCloud experience a plus.
Preferred Qualifications
- Experience with container security (Docker, ECS).
- Working knowledge of Zero Trust Architecture principles.
- Experience building DevSecOps pipelines in regulated environments; familiarity with tools like Prisma, Checkov, Snyk, or Aqua.
- Relevant certifications (any of the following):
- CISSP, CSSLP, or CASP+
- OSCP
- CEH
- GIAC (GWAPT, GSEC, GWEB) or CCP/CCA (UK Cyber Essentials equivalent)
- Experience securing microservices or event-driven architectures on ECS; background in federal or cleared environments preferred.
