Sr. Software/Systems Security Engineer (SME)

Location
Washington D.C.
Posted
Mar 03, 2017
Closes
Apr 07, 2017
Function
IT, Security Engineer
Hours
Full Time

Planned Systems International (PSI) is recruiting for DHS and other projects wherein we provide SME Level IT Security Support Services and Compliance for all aspects of IT services.   These are large environments with 1000's of seats; multiple LAN's; and multiple system/software applications requiring static code analysis/review (automated and manual) to exploit and recommend ways to correct potential software vulnerabilities or potential malicious code.  Projects include all systems and applications are required to be in compliance with a full security assessment and authority to operate.

Essential Functions and Job Responsibilities:
The DHS Science & Technology Division requires a Sr. Software Security Engineer to perform multiple and ongoing Static Code Analysis (SCA) Risk Assessments (aka Static Code Reviews) of on critical systems based on each system’s status within the security assessment and authorization cycle, authority to operate status, and estimated risk profile.  In general terms, all systems are subject to security assessment and authorization activities, and as a result of those activities risk are uncovered, but the exploitability of those risks must be evaluated and understood. The Sr. Software/Systems Security Engineer  (aka Static Code Reviewer) will analyze systems for potential vulnerabilities that may result from improper system configuration, hardware or software flaws, or operational weaknesses. Any security issues that are found will be presented to the system owner with an assessment of their impact and a recommendation for mitigation or technical solution. S&T requires static code analysis of applications and systems that are currently deployed and/or in development.  In general, S&T performs automated and manual source code review of applications and tools before they are operationally deployed looking for weaknesses that may be due to prior poor development practices or weak application configuration settings. The selected individual shall perform static code analysis on software developed in-house and by contracted developers and work with the developers throughout the development lifecycle to ensure compliance with secure software development best practices and DHS standards. He or she will present any issues that are found to the ISSO, Compliance Officer, system owner, authorizing official, and the CISO along with an impact assessment and a recommendation for mitigation and technical solution. More specific or detailed expectations also include:

  • Assessing system information security policies against DHS policies.
  • Ensuring policies are comprehensive to system
  • Evaluating security components against their ability to resist threats in the deployed environment.
  • Evaluating configurations and implementation of firewalls, proxy servers, routers, Virtual Private Networks (VPNs), IDS, wireless networks, etc. against legal requirements, departmental/local policy, industry best practices and vendor recommendations.
  • Evaluating process and procedures associated with operations.
  • Conducting vulnerability assessment and penetration testing customized to the system function and technical requirements.
  • Executing standardized IV&V practices to evaluate comprehensive state of the security posture.
  • Performing manual and automated assessments on code delivered during development and as patches during operations against DHS S&T secure code policies and industry best practices.
  • Providing formal reports utilizing S&T pre-established reporting templates, as required, on vulnerabilities uncovered during code reviews and recommendations on how developers can remediate the uncovered issues.
  • Working with development staff to remediate security vulnerabilities as they are identified and provide recommendations on how software development lifecycles need to be modified to address vulnerabilities and concerns.

Minimum Requirements:

  • BS Degree in a technical field.  An  equivalent combination of education and experience may be considered.
  • Must possess any one of the following current certifications:  CSSLP (Preferred), CASP, or CISSP.
  • 5 + years performing in an IA Security role.  Resume must clearly indicate experience in one, preferably more, of the following areas (which understandably overlap) so please elaborate and be specific: 
  • Static Code Analysis, Static Code Review
  • SCA Risk Assessments (Static Code Analysis Risk Assessments
  • Software Security Vulnerability Testing
  • Malicious Code Testing
  • Penetration Testing
  • Open Web Application Security
  • Security Testing Frameworks
  • Automated Security Testing (i.e. HP Fortify)
  • Manual Security Testing.
  • Experience must include:
  • Proven experience with various Security Testing Frameworks (such as Open Web Application Security Projects [OWASP].
  • Expert knowledge of information security principles, web applications and a level of familiarity with malicious code and common techniques used to exploit software vulnerabilities
  • Experience with automated code reviews (using tools like HP Fortify) as well as manual code review techniques to identify application security vulnerabilities.
  • Familiarity with various programming languages and frameworks (C, C++, PHP, .NET, ASP, JAVA, Struts)
  • Solid understanding of Software Development Life Cycle methodologies.
  • Exceptionally good written and oral communication skills.
  • Good interpersonal and consulting-type skills to document and present findings to management and customers.
  • US Citizenship and Secret Clearance required as well as ability to successfully pass Corporate and DHS client suitability background checks.

Planned Systems International provides our customers with value-added management consulting and information technology services that consistently deliver success, and we are recognized as a world-class provider of innovative solutions that benefit mankind. From Systems Lifecycle Support and Healthcare IT Solutions to Network and Desktop Solutions and e-Business, PSI is focused on making our clients’ businesses run smoother and better. With a highly trained technical staff, we apply state-of-the-art information technologies, the industry's most advanced methodologies, and broad-based support services to clients in U.S. Government agencies and the commercial sector.

PSI is an Equal Opportunity Employer.
All qualified candidates are encouraged to apply, including:
Minorities, Women, Individuals with Disabilities, and Protected Veterans.

NOTE TO JOB SERVICE: VEVRAA Federal Contractor requesting priority referrals of Protected Veterans.