Application Security Engineer - Veracode

At phia we hire talented and passionate people who are focused on collaborative, meaningful work, providing technical and operational subject matter expertise and support services to our partners and clients. phia is seeking a mission-driven Application Security Engineer to act as a dedicated technical partner embedded within a federal agency's AppSec team.

You will plan, administer, and triage application security testing workflows using Veracode and Burp Suite Enterprise, manage security integrations within a CI/CD pipeline, and serve as a technical resource for development teams navigating vulnerability remediation. You will work directly alongside federal clients and a small, experienced AppSec team in a fast-paced, technically driven environment where clear communication and autonomous execution are expected every day.

What You'll Do --> Scan Operations: Plan, schedule, and administer SAST and DAST scans using Veracode across a portfolio of federal web applications; manage scan frequency, result downloads, and client reporting. --> Application Testing: Conduct hands-on application security assessments using Burp Suite Enterprise - including proxy capture, authentication testing, repeater analysis, and manual verification of findings. Finding Management: Triage scan results to distinguish true positives from false positives; coordinate with development teams to verify remediations are correctly implemented before closing findings. --> CI/CD Security Integration: Integrate and maintain security tooling within CI/CD pipelines using GitHub Actions; work with Dependabot and reusable workflow patterns as the team migrates from GitLab to GitHub. --> Authentication Testing: Support complex authentication testing scenarios including PIV card, EntraID, and SSO configurations that are a known operational challenge on this contract. --> IAST Management: Operate Contrast for IAST coverage across 150+ applications; maintain tool availability and manage workflow queues. --> Client Communication: Communicate findings, status, and remediation guidance to development teams and federal clients during daily standups and technical sessions. --> Compliance Alignment: Maintain working knowledge of evolving threats and federal compliance requirements including NIST 800-53, FISMA, and FedRAMP to support a security-conscious operating environment.

AppSec Practitioner: You have hands-on, operational experience running SAST and DAST programs - not just familiarity. You've scheduled scans, managed result pipelines, and worked with development teams on remediation. --> Veracode & Burp Suite Expert: You can configure and run Veracode scans end-to-end and use Burp Suite (proxy, repeater, scanner) to conduct manual application testing. You know the difference between what each tool catches. --> Linux-Comfortable: You work in Linux CLI daily - navigating directories, checking service status, running network diagnostics, and troubleshooting without needing a GUI. --> Pipeline-Aware: You understand CI/CD concepts and have worked security tooling into a pipeline. You know what a GitHub Actions workflow looks like and can contribute to one. --> Coder: You write Python, bash, or similar scripts to automate repetitive security tasks. You're not a developer, but you can build and maintain tooling that makes your workflow faster. --> Federal-Fluent: You've worked in or alongside a federal environment and understand what FISMA, NIST 800-53, and FedRAMP mean in practice - not just on paper. --> Communicator: You participate actively in daily standups, flag issues early, and can explain a technical finding clearly to a non-technical federal stakeholder.

Preferred Skills --> Experience with Contrast (IAST) - deployment or workflow administration across a large application portfolio --> HackerOne or bug bounty program participation; published CVEs or CWEs a plus Selenium experience; experience scripting authentication flows for SSO or EntraID environments --> Familiarity with OWASP ZAP or Burp Proxy as complementary tooling --> Certifications in application security: CSSLP, OSCP, GWAPT, or equivalent

Required Education + Experience --> Education: High school diploma or GED required; Bachelor's degree in Computer Science, Information Technology, Information Security, or related field preferred (experience may substitute for degree) --> Experience: 6+ years of IT experience; 3+ years specifically in SAST/DAST application security testing; 2+ years of coding in Python, Java, .NET, or C#; 3+ years designing and implementing enterprise-wide security controls --> Clearance: Public Trust / Suitability - U.S. Citizenship required; applicants selected will be subject to a security investigation

Citizenship: Must be a U.S. Citizen. No exceptions. --> Work Hours: Core hours 7:30 AM - 4:30 PM ET, Monday through Friday; daily standup at 8:30 AM ET; schedule is flexible with advance notice --> Work Location: Fully remote within the United States --> Travel: Minimal, phia offers excellent benefits to enhance work-life balance, including the following: --> Medical Insurance --> Dental Insurance --> Vision Insurance --> Life Insurance --> Short Term & Long-Term Disability --> 401k Retirement Savings Plan with Company Match --> Paid Holidays Paid Time Off (PTO) Tuition and Professional Development Assistance

phia does not discriminate on the basis of race, sex, color, religion, age, national origin, marital status, disability, veteran status, genetic information, sexual orientation, gender identity, or any other reason prohibited by law in the provision of employment opportunities and benefits.

phia LLC ("phia") is a Northern Virginia based, small business established in 2011 with focus in Cyber Intelligence, Cyber Security/Defense, Intrusion Analysis & Incident Response, Cyber Architecture & Capability Analysis, Cyber Policy & Strategy, Information Assurance/Security, Compliance, Certification & Accreditation, Communications Security, Traditional Security, and Facilities Security. phia also provides cyber operations support functions such as: Program and Process Management, Engineering, Development, and Systems Administration that allows for Cyber Operations to efficiently integrate our customer's missions and objectives. phia supports various agencies and offices within the Department of Defense (DoD), Federal government, and private/commercial entities.