iWorks Corporation logo

Application Security Tooling Engineer

iWorks Corporation
1 month ago
Full-time
Remote
United States

Title: Application Security Tooling Engineer
Location: Remote

About iWorks:
iWorks Corporation, founded in 2005, is a leading provider of information technology and professional services to the federal government. We are a recognized leader in personnel security and vetting solutions, Agile, DevOps, DevSecOps, data analytics, and cloud solutions. Our continuous process improvement approach, combined with our business and technology expertise, results in innovative solutions.

We offer exceptional comprehensive benefits (Medical, Dental, Vision, Life and Disability); 401(k); Health and Wellness Benefits; and Paid Sick Time, Vacation Time, and Holiday Time. You're eligible for bonuses throughout the year as part of our incentive program for innovation and business development. All employees are also considered for an annual raise, commensurate with performance and company commitment.

About this position:
iWorks is seeking an Application Security Tooling Engineer to design, operate, and continuously improve our federal client's application security (AppSec) scanning ecosystem across the software development life cycle (SDLC). This role focuses on the administration and integration of Sonatype, Fortify, StackRox, and Burp Suite tools to ensure scalable, auditable, mission-ready security controls in regulated environments. The candidate will also provide leadership, policy guidance, and hands-on support for AppSec operations.

Salary Range: – commensurate with the candidate's skills, experience, location, and qualifications.

On a day-to-day basis, you will:

  • Deploy, configure, harden, maintain, and upgrade Sonatype, Fortify, StackRox, and Burp Suite in on-prem or cloud environments (Oracle Cloud preferred).
  • Manage licensing, capacity, backup/restore, high availability, and disaster recovery for AppSec tools.
  • Establish SLAs/SLOs, monitoring/alerting, and operational runbooks.
  • Integrate tools into CI/CD pipelines (Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions.
  • Standardize developer "secure-by-default" workflows, including pull request checks, nightly scans, and release readiness criteria.
  • Define and tune scanning policies, reduce false positives/negatives, and maintain auditable vulnerability management workflows.
  • Provide actionable findings and remediation guidance to engineering teams, including targeted Burp validation for high-risk applications/APIs.
  • Implement container/Kubernetes security using StackRox, including image scanning, runtime detections, admission controls, and least-privilege enforcement.
  • Produce metrics and dashboards for vulnerability trends, remediation time, and policy compliance.
  • Support RMF/ATO evidence collection and compliance audits.
  • Mentor and manage at least one other AppSec professional.

Required Education/Qualifications:

  • Active Secret clearance (Interim Secret acceptable).
  • 5+ years in application security engineering and/or DevSecOps in regulated environments.
  • Hands-on experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite (Professional/Enterprise preferred).
  • Strong CI/CD integration and automation skills.
  • Working knowledge of:
  • Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security.
  • Linux administration, networking fundamentals, TLS/cert management, SSO/LDAP.
  • Common languages/build systems (Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip).
  • Oracle Cloud Infrastructure.
  • DoD 8570 IAT II certification (e.g., Security+).

Preferred Qualifications:

  • DoD/IC experience with RMF, STIGs, and vulnerability management processes.
  • Familiarity with registries and orchestration: Harbor, Artifactory, ECR, Kubernetes/OpenShift, Helm.
  • Experience integrating with SIEM/SOAR and ticketing platforms (Splunk, ServiceNow, Jira).
  • Additional certifications: CISSP, CSSLP, GIAC, Kubernetes security certifications.

Please Note: We maintain an on-camera policy for all virtual company meetings to foster engagement and collaboration. Reasonable exceptions may be granted with prior approval from Human Resources and/or the applicable manager or client.

FLSA & EMPLOYMENT STATUS: FLSA EXEMPT AND FULL-TIME POSITION

iWorks Corporation is an Equal Employment Opportunity/Affirmative Action Employer. We evaluate qualified applicants without regard to race, color, religion, sex, national origin, disability, Veteran status, sexual orientation, or other protected characteristic.