Software Assurance Engineer

Description

Leidos is currently seeking a Software Assurance (SwA) Engineer to ensure security is addressed holistically and systematically throughout the Software Development Life Cycle. SwA provides the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout SDLC. This positions can be based out of any of our three locations - Alexandria, VA, Fort Meade, MD, or Chambersburg, PA. The position is primarily on-site, but partial telework may be available at the discretion of our customer and program management.

Primary Responsibilities:

• Develop and maintain a SwA SOP outlining software discovery and diagnostic processes throughout the SDLC.
• Perform static code analysis, dynamic code analysis, spidering, software penetration testing, database vulnerability assessment, web service testing, mobile application testing, web and mobile discovery scanning, fuzzing, and reverse engineering of software.
• Document customer requirements and produce Software Assurance Plans (SwAP) including System Under Test (SUT), mission timelines, Rules of Engagement (ROE), communication plan, scope, testing plan, purpose, intended outcome, and system diagrams and survey of Software Assurance Maturity Model (SAMM) Level.
• Complete timely SwA Assessments on any public facing software application as well as all internal facing web applications based on SwARM Assessment Schedule, including Static Code Analysis, Dynamic Code Analysis, Spidering, Software Penetration Testing and Database Vulnerability Assessment.
• Perform SwA testing to include Web Service Testing, Mobile Application Testing, Web & Mobile Discovery Scanning, fuzzing, and reverse engineering of software, and generate corresponding SwA technical reports.
• Validate that SwA controls are implemented in RMF packages within eMASS.
• Use the Common Weakness Scoring System (CWSS) to score software vulnerabilities.
• Provide rapid assessment capabilities at the Government's request, generating Rapid Assessment Reports (RARs).
• Validate remediation efforts, upload Final SwARM Assessment Reports into eMASS and TLR, and track unresolved issues for POA&M development.
• Ensure Final Reports highlight critical security risks, threats, and failures, recommending mitigation actions.
• Conduct in-depth assessments as needed and generate In-Depth Assessment Reports.

• Bachelor's degree (IT-related field preferred) and five (5) years of Software Assurance (SwA), application security, vulnerability assessment, or penetration testing. Additional relevant experience may be considered in lieu of degree.
• Active DoD Top Secret clearance with SCI eligibility required
• DoD 8570 IAM II or IAT II certification
• Proficiency in static and dynamic code analysis, penetration testing, database vulnerability assessments, and software security reviews
• Demonstrable experience with software security testing tools such as Burp Suite, Checkmarx, Qmulos, ACAS, and Axonius
• Knowledge of Common Weakness Scoring System (CWSS) for vulnerability assessment
• Demonstrable experience with reverse engineering, fuzzing, and spidering for security evaluations
• Strong analytical, problem-solving, and communication skills, including ability to communicate and coordinate across multiple internal functional areas and with government contacts at various levels
• Detail-oriented with excellent documentation and reporting abilities