Job Description:
• Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
• Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
• Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss.
• Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
• Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
• Administer the AppSec team’s own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise OpenShift.
• Convert legacy Python and shell tooling left behind by previous engineers into Ansible roles and playbooks; manage YAML, Dockerfiles, and Kubernetes manifests as code.
• Integrate AppSec tooling into GitHub Actions workflows alongside Dependabot SCA, including the appropriate use of workflow_dispatch versus workflow_call patterns and reusable workflows.
• Provide secondary support to the broader AppSec toolset: Veracode SAST, Contrast IAST for interactive scanning and runtime security testing, GitHub Advanced Security workflows, and the HackerOne bug bounty program (validating reported findings with Burp Suite Professional).
Requirements:
• 6+ years of hands-on application security engineering experience.
• Demonstrable, current expertise with Burp Suite Enterprise (DAST operations, scan authentication, troubleshooting) and Burp Suite Professional (manual testing, repeater, intruder, session handling).
• Strong Linux/Unix administration skills from the command line.
• Comfortable answering basic questions like "what command checks disk space" or "how do I check whether a service is running" without hesitation, and equally comfortable with more advanced diagnostics.
• Proficiency writing custom Burp extensions and security automation scripts in Python (and ideally Java for the Montoya API).
• Working experience with Kubernetes, Docker, and YAML-driven infrastructure.
• Experience with AWS CloudFormation (or equivalent IaC) and Ansible.
• Experience integrating security scanning into CI/CD pipelines using GitHub Actions, including reusable workflows and Dependabot.
• Demonstrated experience designing authenticated DAST scans against applications protected by SSO, MFA, OTP, or PIV/smart card authentication.
• Clear understanding of modern authentication and authorization protocols, including OAuth 2.0 flows (authorization-code, client-credentials, refresh tokens), SAML, and OpenID Connect.
• U.S. Citizenship and ability to obtain and maintain the required federal Public Trust clearance.
Benefits:
• Fully remote within the United States.
• Standard work day is 8.5 hours with a 30-minute lunch, starting at 8:30 AM EDT with the federal client daily stand-up.
• Hours are flexible around the stand-up and any scheduled client meetings.
• Small team: you will be one of two to three engineers focused on the AppSec work stream, with direct, daily collaboration with the government technical lead.