About Veda Infotech Services, LLC:
Veda Infotech Services, LLC is a dynamic software consulting firm with over 10 years of experience in delivering innovative and customized IT solutions. We serve clients across various industries, providing services such as software modernization, business intelligence, cloud computing, cybersecurity, and AI engineering. Our goal is to support digital transformation and optimize business operations through strategic IT consulting and cutting-edge technology. We value our professionals and offer comprehensive benefits, along with opportunities for growth, to work with our federal clients. This is a full-time position or W2 contract. U.S. Citizens and Green Card holders are highly encouraged to apply.
Location: Washington DC
Experience: 5+ years of experience
Job Title: Application Security Engineer
Job Summary
The Application Security Engineer is responsible for embedding security within the software development lifecycle (SDLC) to protect applications from vulnerabilities and cyber threats. This role integrates security into DevOps pipelines (DevSecOps), conducts secure code reviews, performs vulnerability assessments, and ensures compliance with regulatory standards (NIST, ISO 27001, FedRAMP, etc.). The engineer collaborates with development, QA, and security teams to ensure secure coding practices and continuous application security improvements.
Key Responsibilities: Ideal candidate shall possess some of the skills and experience listed under each category:
Development + Security + Operations
- Integrate security tools into CI/CD pipelines (e.g., Jenkins, GitHub Actions, Azure DevOps, GitLab CI).
- Automate vulnerability scans using SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools.
- Configure and manage security tools like SonarQube, Checkmarx, Veracode, Snyk, OWASP ZAP, and Burp Suite.
- Implement automated security gates to prevent the deployment of code with critical vulnerabilities.
- Collaborate with DevOps engineers to establish Infrastructure as Code (IaC) security standards using tools like Terraform, AWS CloudFormation, or Azure Resource Manager (ARM) templates.
- Provide security guidance to development teams on DevOps processes and ensure 'shift-left' security.
Secure Code Review & Remediation
- Conduct manual and automated reviews of source code to identify vulnerabilities (e.g., OWASP Top 10, CWE Top 25).
- Review applications written in Java, Python, C#, JavaScript, TypeScript, etc., and identify areas for code-level security improvements.
- Collaborate with developers to remediate code vulnerabilities by providing actionable recommendations.
- Leverage tools such as Checkmarx, SonarQube, Fortify, or Veracode for secure code analysis.
- Document and communicate secure coding guidelines for development teams.
- Train developers on secure coding best practices and identify risks in third-party/open-source libraries.
Security Testing & Vulnerability Management
- Conduct application penetration testing to identify weaknesses, logic flaws, and exploits.
- Perform SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and IAST (Interactive Application Security Testing) to identify vulnerabilities at different stages of SDLC.
- Run automated security scans on web, mobile, and API-based applications.
- Identify and mitigate risks related to OWASP Top 10 (e.g., XSS, SQL Injection, CSRF, etc.) and CWE Top 25 vulnerabilities.
- Conduct threat modeling and perform risk assessments for critical applications.
- Track and manage vulnerabilities using platforms like JIRA, ServiceNow, or custom vulnerability management platforms.
Compliance & Regulatory Requirements
- Ensure software development and applications comply with NIST, ISO 27001, GDPR, HIPAA, SOC 2, and FedRAMP standards.
- Work with internal audit teams to ensure application security processes are compliant with organizational policies and external regulations.
- Create and maintain security documentation, policies, and procedures for application development.
- Support security audits and penetration testing exercises required for regulatory compliance.
- Provide input for risk assessments and compliance checklists for new software applications.
Incident Response & Continuous Improvement
- Respond to security incidents and conduct root cause analysis (RCA) to prevent recurrence.
- Assist with post-incident reviews and ensure security updates are implemented in affected applications.
- Stay current with emerging security threats, vulnerabilities, and industry best practices.
- Drive continuous improvement by integrating lessons learned from incidents into SDLC security practices.
Required Skills & Qualifications
Technical Skills
- Application Security Tools: Checkmarx, Veracode, Fortify, SonarQube, OWASP ZAP, Burp Suite, Snyk, etc.
- Programming Languages: Hands-on experience with at least one of the following languages: Java, Python, C#, JavaScript, TypeScript, Node.js, Go, Ruby.
- CI/CD & DevOps: Proficiency with CI/CD platforms like Jenkins, GitHub Actions, GitLab CI/CD, Azure DevOps.
- Cloud Security: Knowledge of securing applications on AWS, Azure, or Google Cloud. Familiarity with Infrastructure as Code (IaC) tools like Terraform, CloudFormation, or Azure Resource Manager.
- Testing Tools: Proficiency in SAST, DAST, and IAST tools for automated and manual application testing.
- Threat Modeling & Risk Assessment: Ability to conduct threat modeling, risk assessments, and root cause analysis.
- Compliance Knowledge: Familiarity with standards like NIST, ISO 27001, GDPR, SOC 2, FedRAMP, OWASP, and CIS Controls.
Soft Skills
- Problem-Solving: Ability to identify complex security issues and provide clear, actionable guidance.
- Communication: Ability to explain security concepts to development and business teams.
- Collaboration: Ability to work cross-functionally with DevOps, development, QA, and compliance teams.
- Attention to Detail: Focused on identifying and remediating minor vulnerabilities that could lead to major breaches.
Experience Required
- Minimum Experience: 3-7 years of experience in application security, DevSecOps, or software development with a security focus.
- Experience working with secure SDLC processes and embedding security controls into CI/CD pipelines.
- Experience with threat modeling, risk assessments, and vulnerability management for application development.
- Hands-on experience with security tools like SonarQube, Checkmarx, Snyk, OWASP ZAP, and Burp Suite.
Educational Requirements
- Bachelor's or Master's degree in Computer Science, Cybersecurity, Information Security, or a related field.
- Equivalent work experience may be accepted in lieu of a degree.
Required Certifications
While certifications are not always required, having them strengthens the candidate's application. The most relevant certifications for this role include:
- Certified Information Systems Security Professional (CISSP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- Offensive Security Certified Professional (OSCP) (for penetration testing aspects)
- GIAC Web Application Penetration Tester (GWAPT)
- Certified Ethical Hacker (CEH) (for manual security testing/penetration testing)
- AWS Certified Security Specialist (if working in cloud environments)
Salary Range
- United States: $110,000 - $140,000 annually (depending on experience, certifications, and location)
Why Join Us?
- Growth Opportunities: Be part of a forward-thinking company that invests in your development.
- Cutting-Edge Projects: Work on impactful software development initiatives.
- Diverse Team: Collaborate with a highly skilled, diverse, and inclusive team.