HiringCafe
This job has expired

This job posting is no longer active and is not accepting applications. Explore similar roles below!

Posted 3w ago

Security Software Engineer (MD, Hanover)

@ Eccalon
View All Jobs
Hanover, Maryland, United States
HybridFull Time
Responsibilities:Design software, Review architecture, Lead vulnerability management
Requirements Summary:3+ years of software engineering with a security focus; BS in CS/Engineering or equivalent; proficiency in JavaScript/TypeScript, Python, Go, or C#; knowledge of OWASP, NIST 800-171/CMMC/FedRAMP; experience with AWS and Azure.
Technical Tools Mentioned:AWS, Azure, SAST, DAST, CI/CD, WAF, Security Hub, Defender, Sentinel, IAM, OIDC, SAML, Cognito, GCC High, GovCloud, Checkov, Snyk, Prisma, Docker, ECS
Save
Mark Applied
Hide Job
Report & Hide
Job Description

Job Description



We are seeking a Security Software Engineer to build and harden software systems supporting DoD programs operating under CMMC/NIST 800-171/FedRAMP compliance requirements. You will embed security across the SDLC—from design and code review through CI/CD and cloud deployment—working alongside engineering, DevSecOps, and IT teams in a regulated, cloud-native environment (AWS Commercial and GovCloud, Azure GCC High).



Responsibilities




  • Core Engineering & Secure Development

    • Design and develop secure software with a security-first mindset baked into every phase of the SDLC.

    • Apply secure coding standards, threat modeling, and vulnerability mitigation aligned to NIST 800-53 and CMMC Level 2/3 controls.

    • Conduct architecture reviews and code hardening to address OWASP Top 10 and DoD STIGs.

    • Automate security gates in CI/CD pipelines (SAST, DAST, dependency scanning, secrets detection).






  • Security Architecture & Controls

    • Design secure system and API architectures for multi-tenant cloud environments, including GCC High and FedRAMP-authorized platforms.

    • Implement IAM controls, JIT provisioning, SSO/SAML/OIDC flows, and least-privilege authorization frameworks (e.g., Cognito, Azure AD).

    • Instrument applications with security logging and monitoring that satisfies audit and continuous monitoring requirements (AU/SI control families).






  • Vulnerability Management & Response

    • Lead code reviews, SAST/DAST scans, and targeted penetration testing; document findings against control frameworks.

    • Triage and remediate vulnerabilities within POA&M timelines; maintain artifact evidence for compliance assessments.

    • Support incident response for application-layer events; contribute to after-action reports and corrective action plans.






  • Cross-functional Collaboration

    • Serve as the embedded security champion for engineering squads, raising the security bar through mentorship and code review culture.

    • Develop and deliver security training and runbooks tailored to engineering and DevOps team members.

    • Collaborate with DevOps/SRE to enforce secure IaC, WAF rules, network controls, and runtime monitoring across AWS and Azure environments.





Required Qualifications




  • Bachelor’s degree in Computer Science, Engineering, or related field—or equivalent experience.

  • 3+ years of software engineering experience with a strong focus on security.

  • Proficiency in one or more programming languages (e.g., JavaScript/TypeScript, Python, Go, C#).

  • Experience with secure coding practices and frameworks.

  • Strong understanding of application security principles, including:

    • OWASP Top 10

    • Secure API/REST design

    • Cryptography fundamentals

    • Authentication/authorization patterns



  • Experience with code scanning tools (SAST/DAST), threat modeling, and penetration testing.

  • Familiarity with NIST 800-171, CMMC, or FedRAMP security control requirements and evidence collection.

  • Hands-on experience with AWS and/or Azure security services (IAM, WAF, Security Hub, Defender, Sentinel); GCC High or GovCloud experience a plus.



Preferred Qualifications




  • Experience with container security (Docker, ECS).

  • Working knowledge of Zero Trust Architecture principles.

  • Experience building DevSecOps pipelines in regulated environments; familiarity with tools like Prisma, Checkov, Snyk, or Aqua.

  • Relevant certifications (any of the following):

    • CISSP, CSSLP, or CASP+

    • OSCP

    • CEH

    • GIAC (GWAPT, GSEC, GWEB) or CCP/CCA (UK Cyber Essentials equivalent)



  • Experience securing microservices or event-driven architectures on ECS; background in federal or cleared environments preferred.