Sr. Software Security Engineer

Company Overview

Alpha logic is a global technology solutions company headquartered in the Washington, DC metropolitan area. Alpha logic offers a wide range of technology and consulting services; predictive analytics, data warehousing & BI, cloud consulting, web & mobile application development.

Alpha logic’s core competencies are cloud and mobile computing; healthcare solutions and services; data warehousing-analytics- business intelligence; and enterprise collaboration-content management. Alpha logic teams are continually deploying emerging technologies to meet our clients’ current challenges.

Alpha logic specializes in the effective use of industry-standard frameworks such Agile, for helping our clients achieve quick wins and reduce cycle times.

The Senior Software Security Engineer will work within the software engineering organization to translate and define security requirements, use and mature practices for building secure applications; and suggest and support remediation activities for identified vulnerabilities. This position requires interest and expertise in defining and executing on a software engineering security practice; strong proven software development skills; expertise with major software infrastructures (J2EE, .NET,

Oracle) and architectures (Web, SOA); an ability to build rapport and credibility with management and software development teams; and the ability to document and communicate the results of code reviews and penetration tests. Successful candidates must be action-oriented self-starters, capable of solving complex technical problems both independently and in a team environment. Candidates must also be able to communicate clearly and effectively to both technical and executive level audiences, both verbally and in written form.

• Defines and mentors software engineering teams on processes that build security in, such as security related programming standards, use of APIs that support secure coding, code review, use of automated scanning tools, and penetration testing.
• Works with software engineering teams and Enterprise Architecture (EA) to build out formal product security plans that put in place controls to build security in during the software development life cycle.
• Stays current with emerging software security technologies, trends, and attack vectors, with a primary focus on internal reference architectures and security standards.
• Performs/participates in architectural reviews that are meant to identify and remedy architectural security flaws.
• Responsible for the use of security-related code analysis tools and takes the lead on tuning, enhancements, upgrades, and tool integration.
• Develops threat models in conjunction with architects and software engineering staff.
• Oversees the development of misuse/abuse cases in conjunction with requirements analysts.
• Works with the Information Security Office on incident response and operational/strategic initiatives.

Qualifications
Education/Experience
Related Skills & Other Requirements:

• Strong and evolving competence in several programming languages and technologies, mastery of one or more tools sets, technologies, and implementation environments.
• Advanced knowledge of programming languages, relational database management systems, networking technology, multiple desk operating systems and multiple server operating systems.
• Must have adequate knowledge of J2EE and/or .NET technologies.
• Experience writing automated unit tests.
• Experience in performing code reviews.
• Knowledge of TCP/IP, HTTP/S and other protocols.
• Knowledge of cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors a plus.
• Knowledge of OWASP Web Security Certification Criteria, OWASP testing guidelines and PCI Data Security Standards is a plus.
• Experience with one or more of the following tools is a plus: nmap, Nessus, Metasploit, TCPDump, Burp Suite, ZAProxy.
• Experience with IBM App Scan Source Edition, IBM App Scan Standard, and/or HP Fortify is a plus.
• Experience with the following source code repositories is a plus: SVN, GIT, IBM Clear Case
• Any knowledge of one or more of the following is a plus -- Python, Ruby, PHP or other scripting languages.
• Reverse engineering experience is a plus.
• Protocol analysis and forensic analysis experience is a plus.
• Experience installing, configuring and maintaining continuous integration (CI) environment(s) using tools such as Cruise Control, Cruise , Hudson, Jenkins, Bamboo, Gauntlet, in a test driven development (TDD) process is a plus.
• Experience with one or more of the following static analysis tools is a plus:
  Find Bugs, FxCop, and PMD.
• Additional certifications such as CISSP, CSSLP, CEH, ENCE, CCE, GCFA, GCIA, GCIH, CHFI and/or QSA are highly desired.

No C2C or Agency candidates. Local candidates are strongly encouraged to apply.