Web Application Security Tester Security Clearance

Position: Web Application Security Tester with Security Clearance
Overview

Title:

Web Application Security Tester

Location:

Herndon, VA
- Remote in States Foxhole is registered to do business Clearance:
Active DoD Secret Foxhole Technology provides robust cybersecurity and IT support capabilities for federal civilian and defense agencies. A recognized leader in navigating technology and security challenges, Foxhole delivers mission-focused innovations to answer evolving and complex needs. Our talented employee-owners provide agile, scalable services and solutions that solve operational gaps, operate critical systems, and protect and secure the enterprise - across the organization and around the world.

Support the Web Application Security Program (WASP) mission to ensure that security is integrated systematically and comprehensively throughout the Software Development Life Cycle (SDLC).

Job Description
* Perform security reviews of web application architectures, APIs, and supporting infrastructure.
* Perform Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) using industry-standard tools.
* Conduct application spidering, fuzzing, and business logic abuse testing to identify vulnerabilities.
* Execute Web Application Penetration Testing against modern frameworks (e.g., React, Angular, Node.js, Django, Flask, .NET Core).
* Test APIs using REST and Graph

QL fuzzing, schema validation, and security automation.
* Identify and validate vulnerabilities such as:
* OWASP Top 10
* Business Logic flaws
* API Security vulnerabilities (OWASP API Top 10)
* Authentication and authorization weaknesses
* Deserialization and injection flaws
* Conduct manual exploit validation beyond automated tool output to reduce false positives.
* Develop and maintain test automation scripts using frameworks like Burp Suite Extender API, ZAP scripting, and custom Python tools.
* Integrate security testing into CI/CD pipelines using Git Lab CI, Git Hub Actions, Jenkins, or Azure Dev Ops.
* Utilize SCA (Software Composition Analysis) tools to identify vulnerable dependencies (e.g., Snyk, Dependency-Check, Black Duck).
* Implement the Common Weakness Scoring System (CWSS) and assist in Common Vulnerability Scoring System (CVSS) ratings for prioritization.
* Generate technical reports and provide remediation guidance to developers, system owners, and ISSOs.
* Provide monthly and annual program metrics including trends in vulnerability classes, remediation timelines, and residual risk.

Minimum Requirements
* Active DoD Secret security clearance
* 5 + years of progressive incident response experience
* DoD IAT II required certification/s ( one of the following ): CCNA-Security, CySA+ (CSA+), GICSP, GSEC, Security+ CE, CND, SSCP, GWAPT, OSWE, eWPT
* CSSP-AUrequired certification/s ( one of the following ): GSNA, CISA
* Required Tools & Hands-On Skills
* Web Security Testing & Automation:
Burp Suite Pro, OWASP ZAP, Postman, Fiddler, mitmproxy.
* SAST/DAST:
Checkmarx, Fortify, Veracode, Sonar Qube, Acunetix, App Scan.
* SCA (Software Composition Analysis):
Snyk, OWASP Dependency-Check, Black Duck, Mend.
* Fuzzing & Exploit Development: AFL, Peach Fuzzer, boofuzz.
* API Security Testing:
Postman, Insomnia, Ready

API, Burp Suite extensions for Graph

QL/REST.
* CI/CD Security Integration:
Git Lab CI, Jenkins, Git Hub Actions, Azure Dev Ops with security plugins.
* Containers & Cloud Security (preferred):
Docker, Kubernetes, AWS Inspector, Prisma Cloud. Desired Experience/Certifications
* Strong knowledge of the OWASP Top 10 and OWASP ASVS.
* Familiarity with CWE, NIST 800-53/171, and DISA STIGs.
* Hands-on experience with scripting languages (Python, Bash, Power Shell, JavaScript).
* Familiarity with Dev Sec Ops  practices and secure coding guidelines.
* Ability to communicate complex findings clearly to both technical and non-technical stakeholders. More Information Requirements of position:
Think analytically, effective verbal and written communication skills, make decisions, observe/remember details, interpret data, concentrate on tasks, adjust to change, handle stress/emotions. Regular attendance, maintain work schedule, attend meetings, meet deadlines, keyboard/type, handle confidential information, use math/calculations, stay organized, operate office equipment, may direct others. May be exposed to dust/dirt, humidity, and noise. Foxhole Technology is an Equal Opportunity Employer and makes hiring decisions without regard to race, color, religion, sex (including pregnancy, childbirth and sexual orientation), national origin, age, disability, genetic information, military/veteran status, or any other protected class.