Key skills
PythonJavaShellBashAWSKubernetesDockerGitHub ActionsAnsibleOpenShiftGitHubCI/CDLeadership
About this role
phia, LLC is a Northern Virginia based small business focused on Cyber Intelligence and Cyber Security. They are seeking a Lead Application Security Engineer to drive the dynamic application security testing program for a federal civilian client, overseeing the Burp Suite Enterprise program and ensuring robust application security practices.
Responsibilities:
- Run a Federal Burp Suite Enterprise Program
- Architect, operate, and continuously improve scheduled authenticated DAST scanning
- Write and maintain extensions (Python/Jython or Java/Montoya API)
- Authenticate scanning against hard targets
- Verify remediations, kill false positives with evidence
- Lead and drive discussions with DevOps, platform, and identity stakeholders
- Administer the team’s Linux servers in AWS
- Support the migration to OpenShift
- Convert legacy Python/shell tooling into Ansible roles and playbooks
- Integrate security tooling into GitHub Actions or comparable CI/CD pipelines
Requirements:
- 8+ years in engineering/security, with deep, recent, hands-on Burp Suite Enterprise and Burp Suite Professional operations — you have configured authenticated scans, not just reviewed their output
- Demonstrated experience writing or significantly modifying custom Burp extensions (Python/Jython, Java, or Montoya API)
- Strong Linux/Unix command-line fluency — comfortable diagnosing services, disk, memory, and network from a shell, daily
- Python and Bash scripting; Ansible exposure; experience with Docker/Kubernetes (OpenShift a plus) and AWS
- Experience integrating security tooling into GitHub Actions or comparable CI/CD pipelines
- Proven technical leadership: you have driven programs or technical decisions across teams and can hold your own — energetically — in a room of senior engineers
- An active, visible interest in AppSec and DevSecOps research: you test new techniques, follow the field, and bring ideas to the team unprompted
- U.S. citizenship and the ability to complete federal Public Trust vetting (no security clearance required)
- Published Burp extensions (BAppStore or GitHub), conference talks, blog posts, or open-source security tooling
- Experience scripting around OTP/TOTP, PIV, or certificate-based authentication for automated scanning
- Veracode SAST, Contrast IAST, or bug bounty validation experience (HackerOne or similar)
- Prior federal or regulated-environment AppSec work (NIST 800-53 / FISMA familiarity)