Overview
Job Title: Security Testing Engineer
Location: Springfield, VA
Clearance: Secret
Telework: Hybrid
Discover an exciting career at Foxhole Technology, an innovative IT Engineering firm founded in 2007. As leaders in cybersecurity, DEVSEC OPS, Agile Developemnt, Cloud and IT support for federal civilian and defense agencies, we're at the forefront of addressing complex technology challenges. Our talented employee-owners provide agile, scalable solutions, bridging operational gaps, operating critical systems, and securing enterprises worldwide. If you're ready to be part of a team driving impactful innovations, apply today and shape the future of IT with us!
Job Description
Foxhole Technology is seeking a Security Testing Engineer in support of a government client. The individual should be capable of cybersecurity testing activities across multiple technologies, assets, and networks. The effort requires testing of operating systems, databases, network fabric assets, web applications and services, source code, wireless communications, and emerging cloud solutions. To thoroughly test these technologies, individuals must be well-versed in vulnerabilities and weaknesses that can affect these assets.
Individuals supporting this effort should be capable of the following:
- Maintain and stay current with in-depth technical knowledge of security testing tools in use by the customer and testing techniques.
- Perform automated security testing, manual validation of automated results, and manual configuration validation of items not covered by automated testing, for the assigned area.
- Make recommendations for updates, additions, and modifications to security policy as gaps or deficiencies in security policy are identified.
- Provide recommendations to update existing, or create new, processes and procedures to improve the security testing program.
- Engage with testing stakeholders to gather all required information needed to create detailed test plans.
- Conduct security testing using the provided automated testing tools in conjunction with manual configuration validation techniques.
- Have experience with the following primary tools: Nessus Professional, Nipper, DbProtect, NMAP, BurpSuite. Additional supplementary tools are available.
- Handle the installation, use, and technical troubleshooting of all security testing tools, including the creation of any customized configurations within the testing tools to complete testing engagements.
- Validate target lists and perform discovery scans of target subnets to determine if assets exist within subnets that have not been identified for testing.
- Troubleshoot any technical issues preventing the successful completion of testing engagements within the scheduled time allotted for the engagement (i.e., insufficient credentials, whitelisting not implemented, no network access, etc.).
- Validate and enrich results generated by automated testing tools. Example activities include the identification of false positive findings generated by testing tools and the adjustment of finding severities based on specific considerations within, or associated with, the affected target.
- Participate in findings meetings to review and provide input on the validity of operating system stakeholder responses to findings.
- Provide Subject Matter Expertise for a variety of topics concerning operating systems in various formats (verbal or written).
- Work during non-core business hours, holidays, weekends, and on an as-needed basis to support off-hours testing, when required. This is estimated to occur approximately 30 days each year.
- Travel on a periodic basis to support remote testing when required. This is estimated to occur five (5) days each month for local sites (i.e., within fifty (50) miles of HQ), and approximately ten (10) days each quarter to sites further than fifty (50) miles.
- Support ad-hoc operating system testing engagements of a non-standard nature as they are identified to provide a benefit to IAD’s security testing requirements.
- Additional duties as assigned in support of this security testing effort.
Minimum Requirements
- At least eight (8) years of technical IT security experience. Such experience can come from system or network administration, security analysis, security testing and evaluation, security incident response, security monitoring, IT project implementation, or other similar technical activities.
- At least five (5) years of experience performing security control assessments (i.e., security testing such as security auditing, primary assessor for Security Control Assessments, etc.).
- Experience with manual scanning of complex technical architectures using appropriate tools and configurations (Tenable, DbProtect, Nipper, NMAP, Burp, Prowler, or industry alternatives).
- Experience with NIST and FIPS security controls, DISA STIGs, CIS standards, and cloud hardening standards.
- Experience working in groups acting as the sole security practitioner, as well as experience working in teams of various sizes of security personnel reviewing the same system.
Desired Experience/Certifications
- Security Certifications to include: CISSP, CEH, Pen Test, Web App Testing etc.
More Information
Requirements of position: Think analytically, effective verbal and written communication skills, make decisions, observe/remember details, interpret data, concentrate on tasks, adjust to change, handle stress/emotions. Regular attendance, maintain work schedule, attend meetings, meet deadlines, keyboard/type, handle confidential information, use math/calculations, stay organized, operate office equipment, may direct others. Must be able to see, have eye/hand coordination, and lift up to 10 lbs. May be exposed to dust/dirt, humidity, and noise.
Foxhole Technology is an Equal Opportunity/Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, religion, creed, color, national origin, ancestry, sex (including pregnancy, childbirth, breastfeeding), age, medical condition, marital or domestic partner status, sexual orientation, gender, gender identity, gender expression and transgender status, mental disability or physical disability, genetic information, military or veteran status, citizenship, low-income status or any other status or characteristic protected by applicable law.
#MON