QA Engineer / DevSecOps AnalysT with Security Clearance
CEdge Inc. · St Louis, MO · 2 wk ago
EngineeringFull-time
About the role
The QA Engineer / DevSecOps Analyst owns the quality and security pipeline for all TMS maintenance and programming deliverables. The contract imposes hard security scan obligations—90-day mandatory scans, 10-business-day High-Threat remediation, static scan score maintained at 90 or above—that require a dedicated owner.
Responsibilities
- Schedule, execute, and report all required 90-day security code scans for critical and external-facing TMS web applications; maintain static scan score ≥ 90 at all times (§2.3.7)
- Triage scan results: classify vulnerabilities by severity, assign ownership to developers, and track High-Threat remediation to closure within 10 business days (§2.3.7)
- Operate and maintain the CI/CD pipeline in Azure DevOps: configure build triggers, automated test execution, and gate controls that enforce quality and security standards before merge
- Develop and maintain automated test suites (unit, integration, regression) for the highest-risk TMS modules; expand coverage during SOW development
- Execute SOW quality gates: confirm unit, integration, and system test completion; document results with pass/fail criteria; prepare staging packages for MoDOT acceptance
- Participate in code review from a security and test-coverage perspective; flag testability or security concerns during architecture walkthroughs
- Track and report security and quality metrics to the Technical Program Manager weekly; produce monthly scan compliance evidence for Program Manager review before invoicing
- Ensure mirrored workstation environment at CEdge matches MoDOT's security scanning toolchain; coordinate tool updates within 30 days of MoDOT infrastructure change notifications
- Support ADA/Section 508 accessibility testing for all new and modified web-application deliverables
Requirements
- Minimum 3 years of software QA, test engineering, or application security experience
- Hands-on experience with static application security testing (SAST) tools (SonarQube, Veracode, Checkmarx, or equivalent)
- Experience with CI/CD pipeline configuration in Azure DevOps, Jenkins, or equivalent
- Experience writing and executing test plans, test cases, and regression suites for .NET web applications
- Ability to classify and triage CVSS-scored vulnerabilities and communicate remediation priorities to developers
- Ability to pass MoDOT background check
Qualifications
- Minimum 1 year of experience similar to MoDOT's technical architecture (.NET, Oracle, Azure DevOps)
- Experience with OWASP Top 10 and secure coding practices in a .NET context
- CompTIA Security+, GIAC GWEB, or equivalent security credential
- Experience with accessibility testing tools for Section 508 compliance (WAVE, axe, NVDA)
- Missouri residency or St. Louis metro area location
- Experience managing scan schedules against contractual cadence requirements