9129 - Software Vulnerability Technical Lead/Manager

Job Req Title:                Software Vulnerability Technical Lead/Manager

Worksite Location:       Remote

Clearance:                    Top Secret\ Tier 5(T5)-Single Scope Background Investigation (SSBI)

Start Date:                    Contingent upon contract award

IndraSoft, Inc. is seeking a highly qualified Subject Matter Expert (SME) level Software Vulnerability Technical Lead/Manager with an active Top Secret clearance to support our DoD client, located in Seaside, CA.  The selected, highly motivated candidate will manage the daily operations of Software Vulnerability analyst and engineering duties.  The Lead/Manager will directly perform as both an analyst and an engineer, during surge and deadline timeframes.  The successful candidate will leverage demonstrated application development experience, coupled with proven subject matter expertise in Static, Dynamic, open source, and web vulnerability scanning to support DoD cybersecurity requirements and objectives.

Qualifications Required:

• Must be a US citizen, possess a DoD Top Secret clearance: Minimum vetting Tier 5(T5)-Single Scope Background Investigation (SSBI)

• Active DoD 8570 IAT Level 3 certification for compliance, including at least one of the following certifications in good standing: CASP+ CE, CCNP Security, CISA, CISSP (or Associate), GCED, GCIH

• Computing Environment Certification
• Bachelor’s degree and 10+ years of Information Technology or Cybersecurity related experience
• 5+ years of experience as an application developer
• 3+ years of experience with management and operations of Static, Dynamic, open source, and web vulnerability scanning; and/or manual review of source code for vulnerabilities.
• Experience managing and integrating SAST, DAST, OAST, IAST, and RAST with Central Application Vulnerability Management (CAVM) Solution

• Ability to communicate effectively with government and contract leadership, while conveying highly technical concepts to both technical and nontechnical stakeholders
• Capacity to thrive in a complex, fast paced environment with competing demands while delivering consistent, high-quality commitment to mission-critical systems and solutions
• Excellent analytic skills, including qualitative and quantitative data analysis to support and defend data-driven decision-making regarding system threats, vulnerabilities, and risk
• Knowledge of DoD cybersecurity policies, practices, and requirements
• Strong organizational skills

Qualifications Desired:

• DevSecOps knowledge and experience
• Hands-on experience in scripting such as PowerShell, Python, or Bash
• Understanding of OWASP Top 10
• Hands-on experience with Web Application Penetration testing and vulnerability scanning
• Experience in an enterprise environment (1500 servers plus 2500 workstations)
• Strong technical writing skills
• CISSP, CASP, CEH

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.  The requirements listed below are representative of the knowledge, skill, and/or ability required. 

Essential Functions and Responsibilities:

• Serve as the Technical Lead for Software Vulnerability Management Suite of Tools and daily operations
• Serve as a Line Manager for staff supporting Cybersecurity Software Vulnerability Management Suite of Tools (Sonatype, Fortify, WebInspect, Burp, etc), ranging from a staff of 1 to 5 staff members over the life of the contract
• Manage/oversee and or directly perform analyst and engineering duties. Provide surge support when the assigned analyst and engineer need to meet daily operations objectives

• Analyst Functions
• POA&MS
• Maintain a POA&M inventory of applications
• Review POA&M submissions, evaluate compliance, non-compliance, N/As, and false positives and prioritize recommendations for the development team
• Conduct security reviews of application scan results
• Provide approval or disapproval recommends for the Application Security Officer
• Scan all applications annually as a minimum
• Work with solution engineers, developers, and Deployable Technology Team to implement block/divest policy
• Ensure applications scans prior to release to production
• Ensure policies failing application build work properly
• Ensure authorized access for all AppSec/Software Vulnerability tools
• Demonstrate a strong knowledge and understanding of current security threats, techniques, and landscape
• Engineering Functions
• Implement any necessary REST APIs in order to provide access to core features for custom implementations as require in order to meet organization’s needs
• Support DevSecOPS integration
• Provide SAST Product suite installation, configuration and tuning
• Manage external data feeds integration (Dynamic Application Security Testing, Static Application Security Testing, Open Source Vulnerability Scanner, etc.) into the Security Center
• Providing scanning support for over 550 applications, to include troubleshooting unsuccessful scans.  Applications may increase upwards to 1000 by contract end
• Facilitate and assist with the installation of any accounts, plugins, and software required by the development community
• Coordinate with stakeholders to schedule and test AppSec tools’ upgrades and maintenance
• Perform patch and vulnerability management across the security suite of tools
• Collaborate with Product Owners, developers and engineers to enhance DAST/SAST/CAVM functionality and performance
• Customize the implementation of DAST/SAST/CAVM in production and test environments
• Understand and apply new policy violations
• Maintain schedule and perform scans of web sites using specified tools as directed
• Perform AppSec tools daily monitoring
• Monitor and process AppSec ticket(s), such as but not limited to account management, application promotions to production, scan requests, inquiries, etc.
• Vendors
• Conduct security evaluations of recommended vendor software for the enterprise
• Collaborate with AppSec tool suite vendors
• Reports/Metrics/Documentation
• Collaborate with leadership to develop metrics based on enterprise situational awareness and monitoring
• Provide Central Application Vulnerability Management (CAVM) performance metrics
• Track, measure and evaluate application security compliance across the enterprise
• Prepare and present weekly presentation status slides
• Create and maintain SOPs for Fortify, Sonatype, WebInspect, Burp Suite, and Software Security Center
• Facilitate AppSec meetings, and prepare meeting minutes