Security Software Engineer

We are seeking a Security Software Engineer to build and harden software systems supporting DoD programs operating under CMMC/NIST 800-171/FedRAMP compliance requirements. You will embed security across the SDLC-from design and code review through CI/CD and cloud deployment-working alongside engineering, DevSecOps, and IT teams in a regulated, cloud-native environment (AWS Commercial and GovCloud, Azure GCC High)., Core Engineering & Secure Development

• Design and develop secure software with a security-first mindset baked into every phase of the SDLC.
• Apply secure coding standards, threat modeling, and vulnerability mitigation aligned to NIST 800-53 and CMMC Level 2/3 controls.
• Conduct architecture reviews and code hardening to address OWASP Top 10 and DoD STIGs.
• Automate security gates in CI/CD pipelines (SAST, DAST, dependency scanning, secrets detection).

Security Architecture & Controls

• Design secure system and API architectures for multi-tenant cloud environments, including GCC High and FedRAMP-authorized platforms.
• Implement IAM controls, JIT provisioning, SSO/SAML/OIDC flows, and least-privilege authorization frameworks (e.g., Cognito, Azure AD).
• Instrument applications with security logging and monitoring that satisfies audit and continuous monitoring requirements (AU/SI control families).

Vulnerability Management & Response

• Lead code reviews, SAST/DAST scans, and targeted penetration testing; document findings against control frameworks.
• Triage and remediate vulnerabilities within POA&M timelines; maintain artifact evidence for compliance assessments.
• Support incident response for application-layer events; contribute to after-action reports and corrective action plans.

Cross-functional Collaboration

• Serve as the embedded security champion for engineering squads, raising the security bar through mentorship and code review culture.
• Develop and deliver security training and runbooks tailored to engineering and DevOps team members.
• Collaborate with DevOps/SRE to enforce secure IaC, WAF rules, network controls, and runtime monitoring across AWS and Azure environments.

• Bachelor's degree in Computer Science, Engineering, or related field-or equivalent experience.
• 3+ years of software engineering experience with a strong focus on security.
• Proficiency in one or more programming languages (e.g., JavaScript/TypeScript, Python, Go, C#).
• Experience with secure coding practices and frameworks.
• Strong understanding of application security principles, including:
• OWASP Top 10
• Secure API/REST design
• Cryptography fundamentals
• Authentication/authorization patterns
• Experience with code scanning tools (SAST/DAST), threat modeling, and penetration testing.
• Familiarity with NIST 800-171, CMMC, or FedRAMP security control requirements and evidence collection.
• Hands-on experience with AWS and/or Azure security services (IAM, WAF, Security Hub, Defender, Sentinel); GCC High or GovCloud experience a plus., * Experience with container security (Docker, ECS).
• Working knowledge of Zero Trust Architecture principles.
• Experience building DevSecOps pipelines in regulated environments; familiarity with tools like Prisma, Checkov, Snyk, or Aqua.
• Relevant certifications (any of the following):
• CISSP, CSSLP, or CASP+
• OSCP
• CEH
• GIAC (GWAPT, GSEC, GWEB) or CCP/CCA (UK Cyber Essentials equivalent)
• Experience securing microservices or event-driven architectures on ECS; background in federal or cleared environments preferred.