Conviso Inc. · 11 hours ago
Application Security Administrator
United States
Full-time
Remote
Mid Level
3+ years expConviso Inc. is seeking an Application Security Tooling Administrator to enhance the application security scanning ecosystem for a defense agency. The role involves designing, operating, and improving security tools throughout the software development life cycle, ensuring robust security measures in regulated environments.
Business IntelligenceCloud ComputingData ManagementInformation TechnologySoftwareStaffing Agency
No H1B
Security Clearance RequiredU.S. Citizen OnlyHiring Manager
Sandeep Payal
Responsibilities
Deploy, configure, harden, and maintain Sonatype, Fortify, StackRox, and Burp in on-prem and/or accredited cloud environments
Manage upgrades, plugins, licensing, capacity planning, backup/restore, high availability, and disaster recovery
Establish SLAs/SLOs, monitoring/alerting, and operational runbooks
Integrate tools into CI/CD pipelines (e.g., Jenkins, GitLab CI, etc.) with policy-based gating and risk-based exceptions
Standardize developer “secure-by-default” workflows: pull request checks, nightly scans, release readiness criteria
Build reusable templates and reference implementations for product teams
Define and tune scanning policies (severity thresholds, exploitability context, allowlists/denylists, quality gates) aligned to agency standards
Reduce false positives/negatives through rule tuning, calibration, and developer feedback loops
Maintain an auditable vulnerability management workflow: triage, ownership, remediation SLAs, and exception/waiver documentation
Provide actionable findings with clear reproduction steps and secure coding guidance
Partner with engineering teams to remediate issues in code, dependencies, container images, and Kubernetes configurations
Coordinate retesting and verify fixes (including targeted Burp validation for high-risk apps/APIs)
Implement image scanning, runtime detections, admission controls, and Kubernetes policy enforcement
Integrate with registries and orchestration platforms; maintain cluster baselines and least-privilege controls
Operationalize incident-ready detections and response playbooks with SOC/IR teams
Produce metrics and dashboards: vulnerability trends, time-to-remediate, pipeline pass rates, policy exceptions
Support Risk Management Framework (RMF) / Authority to Operate (ATO) evidence needs with scan outputs, control mappings, and procedures
Qualification
Required
Must have active Secret / Tier 5 Secret Security Clearance or higher
3+ years in application security engineering and/or DevSecOps in regulated environments
Hands-on administration and pipeline integration experience with Sonatype (Nexus IQ/Lifecycle), Fortify (SCA/SSC), StackRox/Red Hat ACS, and Burp Suite (Professional/Enterprise preferred)
Strong CI/CD and automation skills; ability to implement repeatable integrations and policy gates
Working knowledge of: Secure SDLC, OWASP Top 10, dependency risk, SBOM concepts, container/Kubernetes security
Linux administration, networking fundamentals, TLS/cert management, identity integration (SSO/LDAP)
Common languages/build systems (e.g., Java/Maven/Gradle, .NET/NuGet, Node/npm, Python/pip)
Oracle Cloud Infrastructure
Preferred
DoD/IC experience with RMF, STIGs, and vulnerability management processes
Familiarity with registries and orchestration: Harbor/Artifactory/ECR, Kubernetes/OpenShift, Helm
Experience integrating with SIEM/SOAR and ticketing (e.g., Splunk, ServiceNow, Jira)
Relevant certifications (one or more): Security+, CISSP, CSSLP, GIAC, Kubernetes security certs
Company
Conviso Inc.
At Conviso, we empower both government and commercial clients by delivering tailored professional services that drive success and help them overcome unique business challenges.
51-200 employees
Funding
Current Stage
Growth StageLeadership Team
Roy Quill
Chief Growth Officer (CGO)
Company data provided by crunchbase