NIH - Application Scanning Analyst
Auto Import<span style="font-size:11pt;"><span style="line-height:normal;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">cFocus Software seeks a Application Scanning Analyst to join our program supporting the National Institutes of Health (NIH). This position is fully remote. This position requires a Public Trust or the ability to obtain a public trust clearance.</span></span></span></span><br><span style="font-size:11pt;"><span style="line-height:normal;"><span style="font-family:'Times New Roman', serif;"><b><span style="font-size:10pt;">Qualifications:</span></b></span></span></span><ul><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;">Public Trust Clearance</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">B.S. Computer Science, Information Technology, or a related field</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">5+ years of experience performing application security assessments or web application vulnerability scanning.</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">Experience conducting authenticated and unauthenticated web application security testing.</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">Experience supporting enterprise vulnerability management programs.</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">Experience interpreting application security findings and developing remediation guidance.</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">Experience supporting Federal cybersecurity or large enterprise environments.</span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span style="line-height:normal;"><span><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;">Preferred certifications include: GWAPT, GWEB, CSSLP, OSWA, or CEH</span></span></span></span></span></li></ul><br><span style="font-size:11pt;"><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><b><span style="font-size:10pt;"><span style="line-height:107%;">Duties:</span></span></b></span></span></span><ul><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Perform authenticated and unauthenticated web application vulnerability scans.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Conduct application security assessments against internally developed and commercial applications.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Perform Dynamic Application Security Testing (DAST) and support Static Application Security Testing (SAST) activities.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Assess APIs, web services, and middleware for security vulnerabilities.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Conduct application configuration reviews and identify security weaknesses.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Perform recurring vulnerability scans in accordance with Government-defined schedules.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Analyze application scan results to identify security vulnerabilities and misconfigurations.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Validate scan findings to eliminate false positives.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Prioritize vulnerabilities using risk-based methodologies, including CVSS scoring and exploitability.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Correlate application vulnerabilities with infrastructure and network risks.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Identify critical vulnerabilities requiring immediate remediation.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Perform root cause analysis for recurring application security issues.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Collaborate with software development teams to improve application security.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Provide remediation recommendations aligned with secure coding practices.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Assist developers with vulnerability mitigation strategies.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Support integration of security scanning into DevSecOps and CI/CD pipelines.</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Recommend application security improvements throughout the software development lifecycle (SDLC).</span></span></span></span></span></span></span></li><li style="margin-left:8px;"><span style="font-size:11pt;"><span><span style="line-height:107%;"><span style="font-family:'Times New Roman', serif;"><span style="font-size:10pt;"><span style="line-height:107%;"><span style="color:#030303;">Promote secure-by-design principles across NIH application environments.</span></span></span></span></span></span></span></li></ul>