9129 - Software Vulnerability Technical LeadManager

Job Req Title: Software Vulnerability Technical Lead/Manager

Worksite Location: Remote

Clearance: Top Secret Tier 5(T5)Single Scope Background Investigation (SSBI)

Start Date: Contingent upon contract award

IndraSoft Inc. is seeking a highly qualified Subject Matter Expert (SME) level Software Vulnerability Technical Lead/Manager with an active Top Secret clearance to support our DoD client located in Seaside CA. The selected highly motivated candidate will manage the daily operations of Software Vulnerability analyst and engineering duties. The Lead/Manager will directly perform as both an analyst and an engineer during surge and deadline timeframes. The successful candidate will leverage demonstrated application development experience coupled with proven subject matter expertise in Static Dynamic open source and web vulnerability scanning to support DoD cybersecurity requirements and objectives.

Qualifications Required:

• Must be a US citizen possess a DoD Top Secret clearance: Minimum vetting Tier 5(T5)Single Scope Background Investigation (SSBI)

• Active DoD 8570 IAT Level 3 certification for compliance including at least one of the following certifications in good standing: CASP CE CCNP Security CISA CISSP (or Associate) GCED GCIH

• Computing Environment Certification
• Bachelors degree and 10 years of Information Technology or Cybersecurity related experience
• 5 years of experience as an application developer
• 3 years of experience with management and operations of Static Dynamic open source and web vulnerability scanning; and/or manual review of source code for vulnerabilities.
• Experience managing and integrating SAST DAST OAST IAST and RAST with Central Application Vulnerability Management (CAVM) Solution

• Ability to communicate effectively with government and contract leadership while conveying highly technical concepts to both technical and nontechnical stakeholders
• Capacity to thrive in a complex fast paced environment with competing demands while delivering consistent highquality commitment to missioncritical systems and solutions
• Excellent analytic skills including qualitative and quantitative data analysis to support and defend datadriven decisionmaking regarding system threats vulnerabilities and risk
• Knowledge of DoD cybersecurity policies practices and requirements
• Strong organizational skills

Qualifications Desired:

• DevSecOps knowledge and experience
• Handson experience in scripting such as PowerShell Python or Bash
• Understanding of OWASP Top 10
• Handson experience with Web Application Penetration testing and vulnerability scanning
• Experience in an enterprise environment 1500 servers plus 2500 workstations)
• Strong technical writing skills
• CISSP CASP CEH

To perform this job successfully an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge skill and/or ability required.

Essential Functions and Responsibilities:

• Serve as the Technical Lead for Software Vulnerability Management Suite of Tools and daily operations
• Serve as a Line Manager for staff supporting Cybersecurity Software Vulnerability Management Suite of Tools (Sonatype Fortify WebInspect Burp etc) ranging from a staff of 1 to 5 staff members over the life of the contract
• Manage/oversee and or directly perform analyst and engineering duties. Provide surge support when the assigned analyst and engineer need to meet daily operations objectives

• Analyst Functions
• POA&MS
• Maintain a POA&M inventory of applications
• Review POA&M submissions evaluate compliance noncompliance N/As and false positives and prioritize recommendations for the development team
• Conduct security reviews of application scan results
• Provide approval or disapproval recommends for the Application Security Officer
• Scan all applications annually as a minimum
• Work with solution engineers developers and Deployable Technology Team to implement block/divest policy
• Ensure applications scans prior to release to production
• Ensure policies failing application build work properly
• Ensure authorized access for all AppSec/Software Vulnerability tools
• Demonstrate a strong knowledge and understanding of current security threats techniques and landscape
• Engineering Functions
• Implement any necessary REST APIs in order to provide access to core features for custom implementations as require in order to meet organizations needs
• Support DevSecOPS integration
• Provide SAST Product suite installation configuration and tuning
• Manage external data feeds integration (Dynamic Application Security Testing Static Application Security Testing Open Source Vulnerability Scanner etc. into the Security Center
• Providing scanning support for over 550 applications to include troubleshooting unsuccessful scans. Applications may increase upwards to 1000 by contract end
• Facilitate and assist with the installation of any accounts plugins and software required by the development community
• Coordinate with stakeholders to schedule and test AppSec tools upgrades and maintenance
• Perform patch and vulnerability management across the security suite of tools
• Collaborate with Product Owners developers and engineers to enhance DAST/SAST/CAVM functionality and performance
• Customize the implementation of DAST/SAST/CAVM in production and test environments
• Understand and apply new policy violations
• Maintain schedule and perform scans of web sites using specified tools as directed
• Perform AppSec tools daily monitoring
• Monitor and process AppSec ticket(s) such as but not limited to account management application promotions to production scan requests inquiries etc.
• Vendors
• Conduct security evaluations of recommended vendor software for the enterprise
• Collaborate with AppSec tool suite vendors
• Reports/Metrics/Documentation
• Collaborate with leadership to develop metrics based on enterprise situational awareness and monitoring
• Provide Central Application Vulnerability Management (CAVM) performance metrics
• Track measure and evaluate application security compliance across the enterprise
• Prepare and present weekly presentation status slides
• Create and maintain SOPs for Fortify Sonatype WebInspect Burp Suite and Software Security Center
• Facilitate AppSec meetings and prepare meeting minutes