We have an exciting opportunity for an Applications Security
Engineer to join our team. The Applications Security Engineer
functions to provide detailed analysis of development and COTS
solutions web and client/server application security. The
Application Security Engineer serves the needs of the agency by
validating security controls and technical approaches for
application security. Additionally, the Application Security
Engineer shall assess the existing controls and recommend new
solutions and policies to improve agency's security posture, act as
a security subject matter expert on all projects and initiatives,
and work to improve the end user cybersecurity awareness.
o Develop security awareness, guidance, and socialization
materials for training, for internal applications teams.
o Review and provide consulting for IT security team members as
part of security reviews and investigations.
o Monitor and investigate application security logs.
o Develop implement and improve application security logging,
alerts, and incident response capabilities.
o Perform Cross functional internal teams and assist with
architecture, threat modeling, and reviewing systems and
infrastructure to identify vulnerabilities and weaknesses in
o Make appropriate vulnerability remediation recommendations,
create socialization and technical analysis documentation, and
collaborate with teams to implement those recommendations.
o Conduct vulnerability research and analysis for emerging
threats, best practices, and architectural models for application
architecture and dependencies.
o Audit, validate, and track application architecture
vulnerabilities across presentation, data management and
integration levels to report and prioritize risk to businesses.
o Perform Application penetration testing to examine target
systems in detail, looking for vulnerabilities and weaknesses.
o Identify and implement application level security technical
and process vulnerability remediations and improvements.
o Define and own metrics to determine effectiveness of security
o Apply comprehensive hardening to infrastructure platforms,
deployment code, and images.
o Architect, build, automate, and operate automated security
controls/tools and review capabilities to detect vulnerabilities
across all applications and services.
o Development of Web Applications and Dashboards using front-end
o Create and maintain Secure Software Development Life Cycle
(SDLC) and secure SDLC models documentation for application
o Review, create and maintain security requirements of an
application while in development.
o Define, maintain, and enforce application security polices,
standards, and procedures.
o Perform manual and automated code review of applications.
o Assess track and prioritize vulnerabilities of
o Provide detailed analysis and mitigations based on assessments
and testing of applications.
o Prioritize remediation based on security ratings and the needs
of the business.
o Create socialization and guidance materials for Security
o Lead Application Security Event Forensic Root Cause
o Collaborate with incident coordinators and report to
management of findings in real time.
o Perform IT Security Triage, Scoping, and Containment, and
Mitigation activities in coordination with application owners.
o Complete documentation of IT Security events.
o Minimum three (3) to five (5) Years in Application, Web,
and/or Database Management
o Minimum one (1) to two (2) years of work experience in an
Application Security function.
o Experience with integration systems including managed file
transfers, privileged access management and integration platforms
as a service.
o Experience with Oracle and Microsoft Database environments
o Experience working in Virtualized and Cloud environments
o Experience with identity protection services such as Azure
Identity Protection Services
o Experience implementing Azure MFA integrations.
o Experience with implementing modern authentication structures
for authentication SAML, OIDC, and OAuth.
o Experience with Solution as a service and other cloud model
o Experience with AWS, Azure environments including log review,
analytics, and security services.
o Experience testing APIs and mitigating open API
o Experience in pen testing and the MITRE ATT&CK
o Experience troubleshooting Application and Operating system
- Functional Abilities, Knowledge and Skills
o Be a champion for security culture and excellence, exercise
risk-based judgement and prioritize remediation work.
o Knowledge of IT control concepts such as zones of trust, zero
trust, and privileged access management.
o Ability to self-manage with limited oversight.
o Excellent written and oral communication skills.
o Excellent interpersonal skills.
o Excellent judgment and problem-solving skills.
o Strong Knowledge of OWASP Top 10.
o Strong knowledge of application threat modeling.
o Static application security testing and dynamic application
o Ability to review and walkthrough code in real time for
application code and script review.
o Ability to troubleshoot modern identification and integration
- Technical Abilities, Knowledge, and Skills
o Proficiency with Application vulnerability scanning and
penetration tools such as BurpSuite, AppSpider, Kali, etc.
o Proficiency with Scripting and Coding languages including
PowerShell and Python, or similar in a Windows Environment
- Licenses or Certificates:
o Security+, SSCP, or CySA+ Certification
- Must be available for 24/7 on call support for emergency
- Candidate must be a US citizen
o Published work or contributions in related subject matter.
o Penetration Testing, Application Forensic and threat hunting
certifications are a plus.
o Certified Application Security Engineer (CASE) or equivalent
o One (1) to three (3) years of experience in system/network
security functional position in Windows environments.
o Familiarity with Linux.
o Experience developing quantitative evaluation metrics through
the automation of analytics data collection and parsing.
o Experience with CIS, NIST, controls and other frameworks for
on-prem and cloud environments
o Experience with Structured and Unstructured Data.
o Experience with Container platforms such as Docker.
o Experience with Regex, log analytics and application log
o Experience in Transit and Operational Technologies a plus.
Education: Bachelor's degree in Computer Science, Application
development, Cyber security, or related field.
Benefits: Full-time employees (permanent or contract employees
who are employed for a term greater than 6 months) are eligible for
benefits including time-off benefits, such as vacations and
holidays, and insurance and other plan benefits.
Location: Norfolk, VA
Bay State Computers, Inc. is a professional services firm and a
leading provider of Information Technology (IT) services and
products to the U.S. Federal Government and Industry. Bay State
brings together experienced IT professionals and the latest
state-of-the-art technology tools, practices, and products to
support projects and task order requirements for our customers. For
more information about Bay State visit our website and connect with
us on LinkedIn.
Bay State Computers, Inc. is an Equal Opportunity/Affirmative
Action Employer. All qualified candidates will receive
consideration for this position regardless of race, color, creed,
religion, national origin, age, sex, citizenship, ethnicity,
veteran status, marital status, disability, or any other
characteristic protected by applicable law.