Application Security and Compliance Programs Manager

Reporting to the VP, Info Tech & Security, the Application Security and Compliance Programs Manager is responsible our Compliance Programs & Application Security that ensures Cofense Engineering designs, builds, ships, and operates software securely whilst being responsible for our information security standards.

Essential Duties/Responsibilities

• Primarily responsible for being single point of contact on all project management activities for FEDRAMP/SOC2/ISO27001 program
• Own the relationships with the 3PAO, sponsoring agency, and FedRAMP PMO
• Lead the FedRAMP continuous monitoring (ConMon) activities including the Plans of Actions and Milestones (POA&Ms)
• Lead the planning, scheduling, and preliminary analysis for all internal and external audits
• Integrating
security
tools,
standards,
and
processes
into
the
software development
life
cycle
(SDLC).
• Ensuring
that
software engineers
are
trained
with
the
appropriate
level
of security
knowledge to perform
their daily

• Improving
and
supporting
application
security
tool deployments
including
static
analysis, dependency/component analysis, and dynamic analysis tools.
• Improving
and
maintaining
secure
development

• Supporting
the
incident
response
and
architecture
review
processes
whenever
application
security
expertise
is

• Managing
annual
penetration
testing
services and application security assessments.
• Providing
manual
penetration
testing, threat modeling, and gap analysis for Cofense developed applications.
• Supporting
Vendor
Security
activities
to
ensure
3rd‐party software
and
development
meets Cofense
security

• Support application security activities related to compliance efforts including FedRAMP/SOC 2/ISO27001.
• Execute strategic vision for the Application Security program.
• Other duties as assigned

• FedRAMP industry relationships and knowledge
• Superb soft skills including the ability to gain the trust of stakeholders and senior management and negotiate priorities with outside teams
• Working knowledge of public cloud providers (e.g., AWS)
• Ability to translate
 security
concepts
into
language
that
is
meaningful
to
many
 audiences,
including
business leaders, technical
leaders,
and
individual


• Ability to approach application
 security
from
the
perspective
of
risk
management
• Strong
leadership
and technical skills
to effectively
 managers
Application Security engineers.
• Understanding of deployment methodologies in use for assigned products and projects.
• Ability to multitask and context-switch across diverse teams and projects.
• Familiarity with common security libraries, security controls, and common security flaws.
• Familiarity with cloud security controls and best practices.
• Excellent verbal and written communication skills.

• 5+ years application security experience
• Experience must demonstrate working knowledge in all phases of preparing and reviewing complete ATO packages for information technology systems and/or applications as defined by the Federal Information Security Modernization Act and implemented by the guidance of the GSA Federal Risk and Authorization Management Program (FedRAMP).
• Must possess a strong background with
  • NIST Risk Management Framework (SP 800-53)
  • Federal Information Processing Standards (FIPS) 199 and 140
  • DoD Cloud Computing Security Requirements Guide (SRG)
• Experience load-balancing multiple competing projects at the enterprise level.
• Bachelor's degree preferred. Strong preference given for bachelor and advanced degrees in software technology related fields.