Secure Software Assessment SME (Top Secret Clearance)

Aperio Global is seeking a Software Assessment SME in Alexandria VA.

This position requires an active TOP SECRET clearance.

You will be responsible for ensuring the security of software applications through secure coding practices and code vulnerability assessments. Lead a team of application security specialists, providing guidance on secure coding practices and static/dynamic analysis methodologies. Provide guidance to development teams on secure coding techniques and remediation strategies for identified vulnerabilities.

Oversee the execution of application security assessments, including code reviews and vulnerability scans, to identify security flaws in software applications. Provide actionable recommendations to development teams and stakeholders, based on assessment findings, to improve application security and mitigate identified risks. Develop and maintain application security procedures to promote secure software development practices.What You’ll Do:

• Conduct Code Vulnerability Assessments: Perform rigorous static and dynamic code analysis to identify vulnerabilities in software applications. Utilize tools like SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) to ensure the application’s security posture.• Lead and Guide Application Security Teams: Manage and mentor a team of application security specialists, providing technical leadership and guidance on complex vulnerability analyses. Review team findings to ensure accurate results and high-quality deliverables.• Promote and Train on Secure Coding Practices: Educate and provide training to development teams on secure coding techniques and common vulnerabilities (e.g., based on OWASP Top Ten, CWE/SANS Top 25). Deliver workshops or guidelines on defensive coding against injection attacks, cross-site scripting (XSS), secure authentication, etc.• Oversee Secure Software Assessments: Plan, prioritize, and execute secure software assessments across the software lifecycle, including secure design reviews, code audits, and vulnerability testing. Ensure assessments align with organizational and DoD policies for application security.• Provide Vulnerability Remediation Guidance: Offer actionable recommendations to developers, architects, and system owners to remediate identified code vulnerabilities and improve the security of applications. Ensure that all secure recommendations align with development timelines and technical feasibility.• Develop and Maintain Security Procedures and Guidelines: Create and update secure software development lifecycle (SDLC) protocols, ensuring they include best practices for vulnerability prevention. Establish a set of repeatable processes for conducting secure software assessments.• Collaborate with Development and Stakeholder Teams: Serve as a liaison between security, development, and operations teams, ensuring shared understanding of application security goals and activities. Incorporate security requirements into development workflows and stakeholder requirements.• Monitor Application Threats in Real-Time: Implement baseline measures to monitor frameworks, libraries, and third-party software for vulnerabilities or new security threats. Ensure that vulnerabilities associated with third-party code are identified, assessed, and remediated effectively.• Assess and Integrate Emerging Tools and Techniques: Evaluate new application security tools, methods, and frameworks for integration into software development environments to enhance security.• Perform Reporting and Communication: Develop comprehensive reports to communicate assessment findings, risks, and remediation steps to stakeholders and leadership in a clear and actionable format. Provide periodic updates and performance metrics on application security initiatives to leadership.

Knowledge, Skills, and Abilities:

• Secure Coding Practices and Standards: Expertise in secure software development methodologies, including OWASP Secure SDLC, OWASP Top 10, and CWE/SANS Top 25 vulnerabilities.• Static and Dynamic Application Security Testing (SAST/DAST): Proficient in using and configuring tools like Fortify, SonarQube, OWASP ZAP, Burp Suite, and Checkmarx for vulnerability detection.• Application Vulnerability Assessment and Risk Management: Skilled in identifying, analyzing, prioritizing, and remediating software vulnerabilities across various applications and environments.• Programming and Framework Expertise: In-depth knowledge of programming languages (e.g., Java, Python, C++, JavaScript) and their associated vulnerabilities, as well as secure coding practices within frameworks like Spring and Django.• Leadership and Team Collaboration: Strong ability to lead, mentor, and guide a team of application security specialists, as well as collaborate effectively with development and stakeholder teams.• Threat Modeling and Intelligence Integration: Proficient in performing threat modeling, incorporating threat intelligence into assessments, and adapting secure practices to address evolving attack vectors.• Compliance and DoD Standards Expertise: Familiarity with DoD frameworks (e.g., DISA STIGs, RMF, FISMA), ensuring software security practices meet federal and organizational compliance requirements.• DevSecOps and Automation Proficiency: Skilled in integrating security tools and practices into CI/CD pipelines and using scripting languages (e.g., Python, PowerShell, Bash) for process automation.• Effective Communication and Documentation: Ability to clearly communicate technical security risks to non-technical stakeholders and develop comprehensive security procedures, playbooks, and training materials.• Continuous Improvement and Emerging Technology Knowledge: Capacity to assess and integrate new tools and techniques into software security operations while staying current with emerging application risks and best practices.

Required Qualifications:

TOP SECRET CLEARANCE

• Bachelor's degree in technical discipline, or related field and/or 10-years’ experience in progressively more complex roles in software development, vulnerability analysis, and/or application security management• Clearance Requirement: Top Secret• CompTIA Security+• Certified Information Systems Security Professional (CISSP)

Desired Qualifications:

• Certified Ethical Hacker (CEH)• GIAC Certified Incident Handler (GCIH)• Certified Secure Software Lifecycle Professional (CSSLP)• GIAC Secure Software Programmer (GSSP)• GIAC Web Application Penetration Tester (GWAPT)• Certified Ethical Hacker (CEH)• CompTIA PenTest+:• AWS Certified Security – Specialty (or equivalent):• GIAC Critical Controls Certification (GCCC):• Application and Code Analysis Tool Expertise. Advanced understanding of tools like Veracode, WhiteSource, or Black Duck for software composition analysis (SCA) and third-party library management.• Scripting/Programming for Automation. Skills in scripting or programming (e.g., Python, Bash, PowerShell) to develop custom security checks and automate testing workflows.• Deep Knowledge of Emerging Threats. Familiarity with new and evolving threats, attack vectors, and mitigation strategies in cutting-edge applications (e.g., mobile apps, microservices, and APIs).• Cloud Security and Secure Deployment. Knowledge of securing applications in cloud environments (e.g., AWS, Azure, or Google Cloud) using tools and frameworks like AWS Shield or Azure DevSecOps.• Knowledge of Vulnerability Databases. Familiarity with CVEs (Common Vulnerabilities and Exposures) and tools like the NVD (National Vulnerability Database) for identifying known security issues.