Sr. Software Security Engineer

Location: Reston, VA, us

Company Description

Alphalogic is a global technology solutions company headquartered in the Washington, DC metropolitan area. Alphalogic offers a wide range of technology and consulting services; predictive analytics, data warehousing & BI, cloud consulting, web & mobile application development.

Cutting-edge Technologies
Our company’s core competencies are cloud and mobile computing; healthcare solutions and services; data warehousing-analytics- business intelligence; and enterprise collaboration-content management. Alphalogic teams are continually deploying emerging technologies to meet our clients’ current challenges.

Industry Best Practices
Alphalogic specializes in the effective use of industry-standard frameworks such Agile, for helping our clients achieve quick wins and reduce cycle times.

Job Description

The Senior Software Security Engineer will work within the software engineering organization to translate and define security requirements, use and mature practices for building secure applications; and suggest and support remediation activities for identified vulnerabilities. This position requires interest and expertise in defining and executing on a software engineering security practice; strong proven software development skills; expertise with major software infrastructures (J2EE, .NET, Oracle) and architectures (Web, SOA); an ability to build rapport and credibility with management and software development teams; and the ability to document and communicate the results of code reviews and penetration tests. Successful candidates must be action-oriented self-starters, capable of solving complex technical problems both independently and in a team environment. Candidates must also be able to communicate clearly and effectively to both technical and executive level audiences, both verbally and in written form.

• Defines and mentors software engineering teams on processes that build security in, such as security related programming standards, use of APIs that support secure coding, code review, use of automated scanning tools, and penetration testing.
• Works with software engineering teams and Enterprise Architecture (EA) to build out formal product security plans that put in place controls to build security in during the software development life cycle.
• Stays current with emerging software security technologies, trends, and attack vectors, with a primary focus on internal reference architectures and security standards.
• Performs/participates in architectural reviews that are meant to identify and remedy architectural security flaws.
• Responsible for the use of security-related code analysis tools and takes the lead on tuning, enhancements, upgrades, and tool integration.
• Develops threat models in conjunction with architects and software engineering staff.
• Oversees the development of misuse/abuse cases in conjunction with requirements analysts.
• Works with the Information Security Office on incident response and operational/strategic initiatives.

Qualifications

Qualifications
Education/Experience
Bachelor’s Degree in a related field plus additional related college courses or professional training. Four to seven years of progressively responsible directly-related experience.
Related Skills & Other Requirements:

• Strong and evolving competence in several programming languages and technologies, mastery of one or more tools sets, technologies, and implementation environments.
• Advanced knowledge of programming languages, relational database management systems, networking technology, multiple desk operating systems and multiple server operating systems.
• Must have strong knowledge in one or more of the following: HTML, JavaScript, DOM, AJAX, CSS/CSS2, XML, XHTML, DHTML, etc.
• Must have adequate knowledge of J2EE and/or .NET technologies.
• Experience writing automated unit tests.
• Experience in performing code reviews.
• Knowledge of TCP/IP, HTTP/S and other protocols.
• Knowledge of cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors a plus.
• Knowledge of OWASP Web Security Certification Criteria, OWASP testing guidelines and PCI Data Security Standards is a plus.
• Experience with one or more of the following tools is a plus: nmap, Nessus, Metasploit, TCPDump, Burp Suite, ZAProxy.
• Experience with IBM AppScan Source Edition, IBM AppScan Standard, and/or HP Fortify is a plus.
• Experience with the following source code repositories is a plus: SVN, GIT, IBM ClearCase
• Any knowledge of one or more of the following is a plus -- Python, Ruby, PHP or other scripting languages.
• Reverse engineering experience is a plus.
• Protocol analysis and forensic analysis experience is a plus.
• Experience installing, configuring and maintaining continuous integration (CI) environment(s) using tools such as Cruise Control, Cruise Control.NET, Hudson, Jenkins, Bamboo, Gauntlet, in a test driven development (TDD) process is a plus.
• Experience with one or more of the following static analysis tools is a plus: FindBugs, FxCop, and PMD.
• Additional certifications such as CISSP, CSSLP, CEH, ENCE, CCE, GCFA, GCIA, GCIH, CHFI and/or QSA are highly desired.

Additional Information

No C2C or Agency candidates. Local candidates are strongly encouraged to apply.