Security Software Engineer On-site

Job DescriptionWe are seeking a Security Software Engineer to build and harden software systems supporting DoD programs operating under CMMC/NIST 800-171/FedRAMP compliance requirements. You will embed security across the SDLC"”from design and code review through CI/CD and cloud deployment"”working alongside engineering, DevSecOps, and IT teams in a regulated, cloud-native environment (AWS Commercial and GovCloud, Azure GCC High).ResponsibilitiesCore Engineering & Secure DevelopmentDesign and develop secure software with a security-first mindset baked into every phase of the SDLC.Apply secure coding standards, threat modeling, and vulnerability mitigation aligned to NIST 800-53 and CMMC Level 2/3 controls.Conduct architecture reviews and code hardening to address OWASP Top 10 and DoD STIGs.Automate security gates in CI/CD pipelines (SAST, DAST, dependency scanning, secrets detection).Security Architecture & ControlsDesign secure system and API architectures for multi-tenant cloud environments, including GCC High and FedRAMP-authorized platforms.Implement IAM controls, JIT provisioning, SSO/SAML/OIDC flows, and least-privilege authorization frameworks (e.g., Cognito, Azure AD).Instrument applications with security logging and monitoring that satisfies audit and continuous monitoring requirements (AU/SI control families).Vulnerability Management & ResponseLead code reviews, SAST/DAST scans, and targeted penetration testing; document findings against control frameworks.Triage and remediate vulnerabilities within POA&M timelines; maintain artifact evidence for compliance assessments.Support incident response for application-layer events; contribute to after-action reports and corrective action plans.Cross-functional CollaborationServe as the embedded security champion for engineering squads, raising the security bar through mentorship and code review culture.Develop and deliver security training and runbooks tailored to engineering and DevOps team members.Collaborate with DevOps/SRE to enforce secure IaC, WAF rules, network controls, and runtime monitoring across AWS and Azure environments.Required QualificationsBachelor's degree in Computer Science, Engineering, or related field"”or equivalent experience.3+ years of software engineering experience with a strong focus on security.Proficiency in one or more programming languages (e.g., JavaScript/TypeScript, Python, Go, C#).Experience with secure coding practices and frameworks.Strong understanding of application security principles, including: OWASP Top 10Secure API/REST designCryptography fundamentalsAuthentication/authorization patternsExperience with code scanning tools (SAST/DAST), threat modeling, and penetration testing.Familiarity with NIST 800-171, CMMC, or FedRAMP security control requirements and evidence collection.Hands-on experience with AWS and/or Azure security services (IAM, WAF, Security Hub, Defender, Sentinel); GCC High or GovCloud experience a plus.Preferred QualificationsExperience with container security (Docker, ECS).Working knowledge of Zero Trust Architecture principles.Experience building DevSecOps pipelines in regulated environments; familiarity with tools like Prisma, Checkov, Snyk, or Aqua.Relevant certifications (any of the following): CISSP, CSSLP, or CASP+OSCPCEHGIAC (GWAPT, GSEC, GWEB) or CCP/CCA (UK Cyber Essentials equivalent)Experience securing microservices or event-driven architectures on ECS; background in federal or cleared environments preferred.

Created: 2026-05-16