Software Security Engineer; Java Security Clearance

Position: Software Security Engineer (Java) with Security Clearance
Software Security Engineer (Java) Mid: $80,000 - $98,000 Senior: $100,000 - $169,000 Newport News, VA | Active Secret Clearance Required | On-Site

Role Overview Safeguard mission-critical defense systems by securing Java-based software operating in classified environments. As a Software Security Engineer (Java), you will work hands-on with Java source code, performing static code analysis, identifying security vulnerabilities, and supporting remediation efforts across the secure software development lifecycle. This role is engineering-focused, not policy-only. You will collaborate directly with software developers, systems engineers, ISSOs, and network teams to strengthen the security posture of actively deployed and sustained Java applications supporting national defense missions.

What You'll Do
* Perform static security analysis of Java source code, identifying vulnerabilities and security weaknesses and clearly explaining findings to development teams.
* Use Fortify and Software Security Center (SSC) hands-on to execute scans, analyze results, validate findings, and support vulnerability remediation.
* Support secure software design by applying defense-in-depth principles across Java-based systems operating in classified environments.
* Provide technical input to RMF activities, including vulnerability evidence, control implementation details, and remediation tracking (not policy ownership).
* Conduct vulnerability assessments and security reviews in alignment with DoD requirements.
* Apply and validate Security Technical Implementation Guides (STIGs) and configuration controls across systems and applications.
* Monitor systems using ACAS and other DoD-approved tools to identify security risks and compliance gaps.
* Participate in incident response and forensic analysis efforts as needed.
* Collaborate closely with:
* Software developers on secure coding and remediation
* Systems engineers on architecture and control implementation
* ISSOs and network teams on compliance and operational security
* Produce clear technical documentation and briefings for both technical and non-technical stakeholders.
* Mentor junior engineers and contribute to continuous improvement of security practices.

Required Qualifications
* U.S. Citizenship + Active Secret clearance
* Proven experience performing static security analysis of Java code
* Must be able to read, understand, and explain Java logic and vulnerabilities
* Hands-on experience using Fortify and Software Security Center (SSC)
* CompTIA Security+ (DoD 8570 IAT Level II compliant)
* Ability to work on-site full time in Newport News, VA (80-90% of work performed in a secure lab)
* 2+ years with a Bachelor's degree in Computer Science, Information Security, or a related discipline
* Strong understanding of cybersecurity engineering principles and secure software implementation
* Working knowledge of:
* Risk Management Framework (RMF) controls and documentation
* ACAS scanning, configuration, and reporting
* STIG implementation and compliance enforcement
* Industry frameworks such as NIST, NIST 800-53, and ISO 27001
* Strong analytical skills and the ability to clearly communicate technical findings

Preferred Qualifications
* Master's degree in Cybersecurity, Information Assurance, or related discipline
* Advanced certifications (CISSP, CISM, CEH, OSCP)
* Experience with additional languages such as C++ or Python in secure environments
* Familiarity with cloud security, virtualized infrastructure, or zero-trust architectures
* Experience supporting both active development and sustainment environments
* Exposure to automated vulnerability scanning, SIEM tools, or advanced threat detection
* Interest in emerging cybersecurity technologies within the defense sector Mid vs Senior Expectations
* Mid-Level: Strong Java and security fundamentals with hands-on Fortify experience; capable of contributing immediately with guidance on RMF processes.
* Senior-Level: Deeper technical ownership, mentorship of junior staff, and greater influence on secure design decisions and remediation strategy. Important Notes
* This role is not a SOC analyst, ISSO, or cloud-only Dev Sec Ops  position.
* Candidates must bring real Java security experience - not just tool exposure.
* Classified, on-site work is a core requirement. Who is Caribou Thunder? Caribou Thunder is a HUBZone-certified small business providing advanced technical and engineering services to the U.S. Department of War and its mission partners. 35+ states and 20+ countries. We've delivered trusted solutions for over two decades - strengthening national readiness across missions on land, undersea, in the air, and throughout LEO, MEO, GEO, and deep space.

Why Caribou Thunder? TEAM THUNDER - Mission Focused. Delivery Proven. Ready to Serve.
* Employee Advocacy
* Mission Proven
* Global Reach
* Skilled Teams
* Modern Tools
* Empowering Culture Our engineers and innovators ensure capability from sea floor to space frontier -…