Staff/Sr. Staff Application Security Engineer
SciTec · Boulder, CO · 3 wk ago
On-siteInformation Technology$98k–$146k/yrFull-time
Responsibilities
- Perform application security analysis using both automated and manual techniques, including: Static code analysis (SAST), Software composition analysis (SCA), Fuzzing
- Manual code and design reviews
- Identify, analyze, and help remediate application vulnerabilities
- Support software engineers in integrating security considerations into system and application designs
- Integrate and maintain application security tooling within CI/CD and DevSecOps pipelines
- Design, implement, and improve continuous integration security analysis tooling
- Tune and maintain security tools to reduce false positives and improve signal quality
- Assist development teams in understanding findings and implementing effective fixes
- Support threat modeling and secure design reviews
- Stay current with emerging vulnerabilities, attack techniques, and mitigation strategies
- Document findings, recommendations, and best practices
Requirements
- Bachelor's degree plus 2+ years of professional experience in cybersecurity or software development, or equivalent experience
- 2+ years of experience focused on application/software security
- Familiarity with secure software development practices
- Strong analytical, problem-solving, and communication skills
- Detail-oriented with strong written and verbal communication abilities
- Ability to qualify for and maintain a DoD or DoE Secret security clearance
- Ability to meet DoD 8140.01 Cyberspace Workforce Management requirements within six months of hire
Qualifications
- Active DoD Secret clearance or higher
- Credit for published CVEs is a strong plus
- Proficiency in one or more programming languages such as C++, Python, JavaScript, Rust
- Experience configuring and operating static analysis tools (e.g., Coverity, Klocwork, SonarQube)
- Experience configuring and operating software composition analysis tools (e.g., Snyk, Sonatype, Anchore, JFrog Xray)
- Experience with fuzzing frameworks (AFL, AFL++, honggfuzz, or similar)
- Experience with debugging, runtime instrumentation, or reverse engineering, including tools such as: strace eBPF Ghidra or IDA Pro
- Familiarity with threat modeling methodologies and frameworks such as MITRE ATT&CK
- Experience working in DevSecOps or Agile development environments
Benefits
- 4% Safe Harbor 401(k) match
- 100% company paid HSA Medical insurance, with a choice of 2 buy-up options
- 80% company paid Dental insurance
- 100% company paid Vision insurance
- 100% company paid Life insurance
- 100% company paid Long-term Disability insurance
- 100% company paid Hospital Indemnity insurance
- Voluntary Accident and Critical Illness insurance
- Short-term Disability insurance
- Annual Profit-Sharing Plan
- Discretionary Performance Bonus
- Paid Parental Leave
- Generous Paid Time Off, including Holiday, Vacation, and Sick Pay
- Flexible Work Hours