[Remote] Lead Application Security Engineer

Note: The job is a remote job and is open to candidates in USA. phia, LLC is a Northern Virginia based small business focused on Cyber Intelligence and Cyber Security. They are seeking a Lead Application Security Engineer to drive the dynamic application security testing program for a federal civilian client, overseeing the Burp Suite Enterprise program and ensuring robust application security practices.

Responsibilities

• Run a Federal Burp Suite Enterprise Program
• Architect, operate, and continuously improve scheduled authenticated DAST scanning
• Write and maintain extensions (Python/Jython or Java/Montoya API)
• Authenticate scanning against hard targets
• Verify remediations, kill false positives with evidence
• Lead and drive discussions with DevOps, platform, and identity stakeholders
• Administer the team’s Linux servers in AWS
• Support the migration to OpenShift
• Convert legacy Python/shell tooling into Ansible roles and playbooks
• Integrate security tooling into GitHub Actions or comparable CI/CD pipelines

Skills

• 8+ years in engineering/security, with deep, recent, hands-on Burp Suite Enterprise and Burp Suite Professional operations — you have configured authenticated scans, not just reviewed their output
• Demonstrated experience writing or significantly modifying custom Burp extensions (Python/Jython, Java, or Montoya API)
• Strong Linux/Unix command-line fluency — comfortable diagnosing services, disk, memory, and network from a shell, daily
• Python and Bash scripting; Ansible exposure; experience with Docker/Kubernetes (OpenShift a plus) and AWS
• Experience integrating security tooling into GitHub Actions or comparable CI/CD pipelines
• Proven technical leadership: you have driven programs or technical decisions across teams and can hold your own — energetically — in a room of senior engineers
• An active, visible interest in AppSec and DevSecOps research: you test new techniques, follow the field, and bring ideas to the team unprompted
• U.S. citizenship and the ability to complete federal Public Trust vetting (no security clearance required)
• Published Burp extensions (BAppStore or GitHub), conference talks, blog posts, or open-source security tooling
• Experience scripting around OTP/TOTP, PIV, or certificate-based authentication for automated scanning
• Veracode SAST, Contrast IAST, or bug bounty validation experience (HackerOne or similar)
• Prior federal or regulated-environment AppSec work (NIST 800-53 / FISMA familiarity)

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Life Insurance
• Short Term & Long-Term Disability
• 401k Retirement Savings Plan with Company Match
• Paid Holidays
• Paid Time Off (PTO)
• Tuition and Professional Development Assistance

Company Overview