[Hiring] Application Security Engineer @Phia LLC

Role Description

At phia, we hire talented and passionate people who are focused on collaborative, meaningful work, providing technical and operational subject matter expertise and support services to our partners and clients. phia is seeking a mission-driven Application Security Engineer to act as a dedicated technical partner embedded within a federal agency’s AppSec team.

You will plan, administer, and triage application security testing workflows using Veracode and Burp Suite Enterprise, manage security integrations within a CI/CD pipeline, and serve as a technical resource for development teams navigating vulnerability remediation. You will work directly alongside federal clients and a small, experienced AppSec team in a fast-paced, technically driven environment where clear communication and autonomous execution are expected every day.

What You’ll Do

• Scan Operations: Plan, schedule, and administer SAST and DAST scans using Veracode across a portfolio of federal web applications; manage scan frequency, result downloads, and client reporting.
• Application Testing: Conduct hands-on application security assessments using Burp Suite Enterprise — including proxy capture, authentication testing, repeater analysis, and manual verification of findings.
• Finding Management: Triage scan results to distinguish true positives from false positives; coordinate with development teams to verify that remediations are correctly implemented before closing findings.
• CI/CD Security Integration: Integrate and maintain security tooling within CI/CD pipelines using GitHub Actions; work with Dependabot and reusable workflow patterns as the team migrates from GitLab to GitHub.
• Authentication Testing: Support complex authentication testing scenarios including PIV card, EntraID, and SSO configurations that are a known operational challenge on this contract.
• IAST Management: Operate Contrast for IAST coverage across 150+ applications; maintain tool availability and manage workflow queues.
• Client Communication: Communicate findings, status, and remediation guidance to development teams and federal clients during daily stand-ups and technical sessions.
• Compliance Alignment: Maintain working knowledge of evolving threats and federal compliance requirements including NIST 800-53, FISMA, and FedRAMP to support a security-conscious operating environment.

Qualifications

• AppSec Practitioner: You have hands-on, operational experience running SAST and DAST programs — not just familiarity. You’ve scheduled scans, managed result pipelines, and worked with development teams on remediation.
• Veracode & Burp Suite Expert: You can configure and run Veracode scans end-to-end and use Burp Suite (proxy, repeater, scanner) to conduct manual application testing. You know the difference between what each tool catches.
• Linux-Comfortable: You work in Linux CLI daily — navigating directories, checking service status, running network diagnostics, and troubleshooting without needing a GUI.
• Pipeline-Aware: You understand CI/CD concepts and have worked security tooling into a pipeline. You know what a GitHub Actions workflow looks like and can contribute to one.
• Coder: You write Python, bash, or similar scripts to automate repetitive security tasks. You can build and maintain tooling that makes your workflow faster.
• Federal-Fluent: You’ve worked in or alongside a federal environment and understand what FISMA, NIST 800-53, and FedRAMP mean in practice.
• Communicator: You participate actively in daily stand-ups, flag issues early, and can explain a technical finding clearly to a non-technical federal stakeholder.

Preferred Skills

• Experience with Contrast (IAST) — deployment or workflow administration across a large application portfolio
• HackerOne or bug bounty program participation; published CVEs or CWEs a plus
• Selenium experience; experience scripting authentication flows for SSO or EntraID environments
• Familiarity with OWASP ZAP or Burp Proxy as complementary tooling
• Certifications in application security: CSSLP, OSCP, GWAPT, or equivalent

Requirements

• Education: High school diploma or GED required; Bachelor’s degree in Computer Science, Information Technology, Information Security, or related field preferred (experience may substitute for degree)
• Experience: 6+ years of IT experience; 3+ years specifically in SAST/DAST application security testing; 2+ years of coding in Python, Java, .NET, or C#; 3+ years designing and implementing enterprise-wide security controls
• Clearance: Public Trust / Suitability — U.S. Citizenship required; applicants selected will be subject to a security investigation

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Life Insurance
• Short Term & Long-Term Disability
• 401k Retirement Savings Plan with Company Match
• Paid Holidays
• Paid Time Off (PTO)
• Tuition and Professional Development Assistance