Senior AppSec Engineer - Burp Suite, Linux Custom Extensions

Position: Senior AppSec Engineer - Burp Suite, Linux, & Custom Extensions
Senior App Sec Engineer - Burp Suite Enterprise, Linux, and Custom Extensions

Bring your own Burp extensions. We'll bring the Linux boxes.

About the Role

phia is hiring a Senior Application Security Engineer to join a small, highly technical App Sec team supporting a federal civilian client. This is a fully remote role within the United States. You will work directly alongside the government technical lead and our existing senior App Sec engineer as the third member of a tight-knit two-to-three person team operating inside a broader 19-person cybersecurity program.

This is a hands-on engineering seat, not a paper-pusher role. The client is a deeply technical Linux/Unix practitioner with strong Dev Sec Ops  and App Sec instincts who runs lean by design. We are looking for an engineer who can hold a peer-level technical conversation with him on day one, push back when warranted, and drive technical discussions with development and platform teams outside of security.

If you live in a terminal, build your own tooling, and treat Burp Suite as an extensible platform rather than a point-and-click scanner, you will be at home here.

Who You Are

• A
  * nix native. You administer your own Linux servers from the command line every day and you do not reach for a GUI when bash, systemd, or a quick Python script will do.
• An App Sec specialist whose center of gravity is dynamic application security testing. Burp Suite Enterprise for automated DAST and Burp Suite Professional for manual verification are your primary instruments.
• A builder. You write custom Burp extensions, session handling rules, and macros to solve problems that the out-of-the-box product cannot. You convert ad-hoc Python and shell scripts into proper Ansible roles and playbooks without being asked twice.
• Energetic and direct. You lead technical discussions with application development, platform, and identity teams and translate App Sec findings into concrete remediation work.
• Naturally curious about App Sec and Dev Sec Ops  research, and you keep current through OWASP, security advisories, and hands-on lab work with new tooling and techniques.

What You Will Do

Burp Suite Enterprise (Primary Focus)

• Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
• Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
• Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss. You read scan logs and traces, not just dashboards.
• Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
• Make Burp Enterprise work against authenticated APIs and applications that were designed for human authorization-code flows by adapting them to OAuth 2.0 client-credentials and other machine-to-machine patterns suitable for automated scanning.

Multi-Factor and Federated Authentication Scanning

• Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
• Partner with the application and identity teams to provision dedicated lower-environment test accounts and authentication paths that allow continuous, hands-off DAST coverage.
• Clearly articulate and apply the distinctions between OAuth 2.0 authorization-code flow, client-credentials flow, SAML, and OpenID Connect when designing scan authentication strategies.

Linux Infrastructure and Automation

• Administer the App Sec team's own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise Open Shift.
• Convert legacy…