Security Software Engineer

About

This is NOT a remote position

We are seeking a Security Software Engineer to build and harden software systems supporting DoD programs operating under CMMC/NIST 800‑171/FedRAMP compliance requirements. You will embed security across the SDLC—from design and code review through CI/CD and cloud deployment—working alongside engineering, DevSecOps, and IT teams in a regulated, cloud‑native environment (AWS Commercial and GovCloud, Azure GCC High).

Responsibilities

Core Engineering & Secure Development

• Design and develop secure software with a security‑first mindset baked into every phase of the SDLC.
• Apply secure coding standards, threat modeling, and vulnerability mitigation aligned to NIST 800‑53 and CMMC Level 2/3 controls.
• Conduct architecture reviews and code hardening to address OWASP Top 10 and DoD STIGs.
• Automate security gates in CI/CD pipelines (SAST, DAST, dependency scanning, secrets detection).

Security Architecture & Controls

• Design secure system and API architectures for multi‑tenant cloud environments, including GCC High and FedRAMP‑authorized platforms.
• Implement IAM controls, JIT provisioning, SSO/SAML/OIDC flows, and least‑privilege authorization frameworks (e.g., Cognito, Azure AD).
• Instrument applications with security logging and monitoring that satisfies audit and continuous monitoring requirements (AU/SI control families).

Vulnerability Management & Response

• Lead code reviews, SAST/DAST scans, and targeted penetration testing; document findings against control frameworks.
• Triage and remediate vulnerabilities within POA&M timelines; maintain artifact evidence for compliance assessments.
• Support incident response for application‑layer events; contribute to after‑action reports and corrective action plans.

Cross‑functional Collaboration

• Serve as the embedded security champion for engineering squads, raising the security bar through mentorship and code review culture.
• Develop and deliver security training and runbooks tailored to engineering and DevOps team members.
• Collaborate with DevOps/SRE to enforce secure IaC, WAF rules, network controls, and runtime monitoring across AWS and Azure environments.

Required Qualifications

• Bachelor’s degree in Computer Science, Engineering, or related field—or equivalent experience.
• 3+ years of software engineering experience with a strong focus on security.
• Proficiency in one or more programming languages (e.g., JavaScript/TypeScript, Python, Go, C#).
• Experience with secure coding practices and frameworks.
• Strong understanding of application security principles, including:
  • OWASP Top 10
  • Secure API/REST design
  • Cryptography fundamentals
  • Authentication/authorization patterns
• Experience with code scanning tools (SAST/DAST), threat modeling, and penetration testing.
• Familiarity with NIST 800‑171, CMMC, or FedRAMP security control requirements and evidence collection.
• Hands‑on experience with AWS and/or Azure security services (IAM, WAF, Security Hub, Defender, Sentinel); GCC High or GovCloud experience a plus.

Preferred Qualifications

• Experience with container security (Docker, ECS).
• Working knowledge of Zero Trust Architecture principles.
• Experience building DevSecOps pipelines in regulated environments; familiarity with tools like Prisma, Checkov, Snyk, or Aqua.
• Relevant certifications (any of the following):
  • CISSP, CSSLP, or CASP+
  • OSCP
  • CEH
  • GIAC (GWAPT, GSEC, GWEB) or CCP/CCA (UK Cyber Essentials equivalent)
• Experience securing microservices or event‑driven architectures on ECS; background in federal or cleared environments preferred.