A successful candidate will:
- Lead G6 Software Assurance function and posture other SWA resources for unified mission alignment.
- Provide recommendations, guidance, understand and implement best practices, develop SOP’s/policies.
- Review Fortify FPR’s to concur/non-concur with developer analysis of SCA findings. The review process may require complex code analysis. Most review activities are performed against ASP .NET Webforms and MCV web applications. Applicant must be proficient in these technologies.
- Test and research new scan findings reported by Fortify SCA to determine severity and potential fixes.
- Develop and standardize remediation approaches for design patterns used across the portfolio of hosted applications.
- Interface with Fortify support
- Write simplified test cases that reproduce problematic behavior.
- Submit support thickets and track status through to resolution.
- Track and download new release of Fortify SCA and Fortify Rule packs.
- Distribute Fortify software and support installation and configuration activities as needed.
- Track software utilization against licensed capacity.
- Work integration of scan services into DevOps processes as needed.
- Participate in the implementation and administration of Software Security Center.
- Coordinate with organization’s cybersecurity elements on scan reviews and other software assurance activities that arise.
- Evaluate additional analysis tooling to expand capabilities as opportunities arise.
- Participate in process enhancement and capability growth of software assurance activities within the organization.
Skills & Competencies:
Required: Static code security analysis tooling, C#, ASP .NET Webforms and MVC< CSS/JS/HTML, SQL
Desired: Fortify SCA, Firtify Audit Workbench, Fortify Software Security Center, Apache Tomcat, Windows Server administration, Multi-tier architecture, Agile development, jQuery, Bootstrap ¾, Jira or ServiceNow, Familiarity with Cloud, GOV Cloud, AWS, Azure, Azure DevOps Server, GitLab, SonarQube, Burp Suite, Fortify WebInspect, DISA Application Development STIG, Dynamic Code Analysis.