Cybersecurity Subject Matter Expert, Strategic Operational Solutions, Washington, DC
Strategic Operational Solutions -
Washington, DC,
US
Cybersecurity Subject Matter Expert
Date Posted: 2024-06-24
Job description
Brief Overview of Position:
Strategic Operational Solutions (STOPSO) is seeking candidates for a Cybersecurity Subject Matter Expert. This position will be used to produce program and enterprise system scan results for final ATO approval/submission.
STOPSO is ISO 9001, ISO 20000-1, ISO 27001 certified and CMMI-SVC Level 2 appraised IT Services and Solutions company. We look for talented people to join our Team to develop and deliver solutions. Our environment is cutting-edge and highly rewarding, our team members are constantly learning and sharing their knowledge with our customers and each other. Our employees receive recognition for the solutions they provide to our customers and the value they bring to our company. Consider joining us today to make a difference.
Primary Responsibilities:
Education, Experience, and Security Requirements:
Strategic Operational Solutions (STOPSO) is seeking candidates for a Cybersecurity Subject Matter Expert. This position will be used to produce program and enterprise system scan results for final ATO approval/submission.
STOPSO is ISO 9001, ISO 20000-1, ISO 27001 certified and CMMI-SVC Level 2 appraised IT Services and Solutions company. We look for talented people to join our Team to develop and deliver solutions. Our environment is cutting-edge and highly rewarding, our team members are constantly learning and sharing their knowledge with our customers and each other. Our employees receive recognition for the solutions they provide to our customers and the value they bring to our company. Consider joining us today to make a difference.
Primary Responsibilities:
- Identify gaps or vulnerabilities in systems, which includes managing and modifying applications security scan profile and scan policies as per the baseline standards.
- Assist senior team members with maintaining application and database scanning (server) infrastructure (application/product updates, database maintenance, benchmark/audit files, application/server builds, rule pack/content updates, scanner, or agent deployment etc.)
- Awareness/Knowledge of Continuous Integration and Continuous Delivery Platforms (Jenkins, Bamboo, Azure DevOps, etc.)
- Awareness/Knowledge of code and artifact repositories; including scanning tools (bitbucket, artifactory, Azure Repos, TFS, Nexus, etc.)
- Assist senior team members with performing security analysis and false positive analysis of vulnerabilities at the different layers of the systems (application database layers) by performing manual testing and automated system vulnerability assessment scans using various web, application, operating systems, and database vulnerability scanners.
- Assist senior team members with performing vulnerability assessments and applications security testing on both native and web based mobile applications on different platforms.
- Review scanner reports/results and work with the application and/or development teams to remediate issues following a risk-based approach. This includes the development of remediation timelines, including recommending and monitoring remediation activities.
- Continuously monitor the published vulnerabilities for various applications, operating systems, and databases. Based on the publicly disclosed vulnerabilities determine the patching priority and notify the stakeholders. Review the applied patch by re-scanning the disclosed vulnerabilities. (Familiar with OWASP Top 10, etc.)
- Evaluate and analyze leading edge security technologies to be implemented to improve the organization's security posture
- Provide complex technical guidance, oversight, and enforcement of security directives, policies, standards, plans, and procedures
Education, Experience, and Security Requirements:
- Bachelor's Degree in Computer Science, Information Technology, Engineering or a similar program
- A minimum of 10 years as a cybersecurity support professional
- Certified resource with either one of listed certification CISSP, CISM, CAP, GIAC, GWAPT, Security+ CEH or CPT
- Extensive experience working in a Federal cyber security environment, IT or other related industry experience
- Knowledge of FedRAMP, and NIST authorization to operate (ATO) process and procedures, and Cyber policy
- Developer experience is preferred in a least one scripting / programming language.
- Experience with reviewing cybersecurity vulnerabilities for risk and relevance as well as in vulnerability mitigations/remediation planning, for identified systems application and database vulnerabilities
- Knowledge of at least one DAST Scanning Tools (AppSpider, WebInspect, Burp Suite, AppScan, Netsparker, Acunetix, OWASP ZAP, etc) is required.
- Knowledge of at least one SAST Scanning Tools (Checkmarx, Fortify, Sonarqube, etc) is required.
- Understanding of Microsoft Windows and Linux/UNIX operating systems. (various)
- Knowledge of middleware / web technologies (apache, tomcat, IIS, etc)
- Knowledge of Databases (MS SQL, MySQL, Oracle, etc)
- Understanding of TCP/IP networking.
- Container security experience is desired but not required; should be familiar with container technology and general concepts at a minimum
- Must be a U.S Citizen with an active top secret clearance