We are seeking a .NET Application SECURITY engineer who has worked with AppScan Source. This is a long term contract in DC and requires a public trust clearance. The key responsibilities of this position are to carry out the agency’s security engineering program. This includes vulnerability detection and verification in applications and databases via dynamic and static testing, building an AppStore of application security components and creating demonstrable examples.
Education and Experience:
Required Skills and Competencies:
In-depth knowledge and extensive hands-on experience in dynamic analysis techniques, tools, and best practice.
Extensive knowledge of the process, techniques, and technology used in vulnerability scan and penetration testing against applications, services, and databases.
Extensive hands-on experience with commercial vulnerability scanning tools for applications, services, and databases, such as Web Inspect, Burp Proxy, App Detective, AppScan Enterprise.
Extensive hands-on experiences with popular free and/or Open Source application level security scanners, penetration testing and proxy tools.
Hands on experiences in performing manual penetration testing against Web applications, Web Services, LDAP, database, and mobile applications.
Solid understanding of top application, service, and database level vulnerabilities.
Solid understanding of top vulnerabilities for mobile applications and systems.
In-depth knowledge and extensive hands-on experience in static analysis techniques, tools, and best practice.
In-depth knowledge of .Net languages, such as C#, ASP.net, LINQ, and be able to define coding and configuration best practice.
In-depth knowledge of script languages used in Web applications and Databases, such as JavaScript, HTML, and Transact-SQL.
Very proficient in identifying and verifying security vulnerabilities in Web applications, SOA/Web Services, databases, application source code and configuration files using static analysis tools, such as AppScan Source Edition.
Hands-on experience with the AppScan Source is required.
Very proficient in identifying application security components and creating demonstrable examples of how to use these components to mitigate vulnerabilities in applications, services, and databases.
Solid understanding of top application, service, and database level vulnerabilities.
Solid understanding of common structure and security weakness in typical Web applications, mobile applications and systems, SOA/Web Services, and Cloud based services.
Proficient with Java.
Very proficient in identifying application security components and creating demonstrable examples of how to use these components to mitigate vulnerabilities in applications, services, and databases for .Net.
Proficient with security architectural principles.
Knowledge of Red Hat Linux, Ubuntu KVM, Windows, and VMware server and workstation, and can create and maintain virtual machine images for vulnerability scanning and penetration testing.
Proficient in building and managing a component repository using open source software such as Subversion or CVS.
Ability to communicate effectively with all levels of management and staff both orally and in writing, sufficient to develop and deliver briefings, project papers, status reports, and correspondence to report security vulnerabilities and its impact, show the benefits of vulnerability testing and code review, foster understanding, and promote the acceptance of the agency security engineering program.
Desired Skills:
Successful candidate is subject to a background investigation by the government and must be able to meet the requirements to hold a position of public trust.