Web Application Security Tester

Title: Web Application Security Tester

Location: Herndon, VA- Remote in States Foxhole is registered to do business

Clearance: Active DoD Secret 

Foxhole Technology provides robust cybersecurity and IT support capabilities for federal civilian and defense agencies. A recognized leader in navigating technology and security challenges, Foxhole delivers mission-focused innovations to answer evolving and complex needs. Our talented employee-owners provide agile, scalable services and solutions that solve operational gaps, operate critical systems, and protect and secure the enterprise – across the organization and around the world.

Support the Web Application Security Program (WASP) mission to ensure that security is integrated systematically and comprehensively throughout the Software Development Life Cycle (SDLC).

• Perform security reviews of web application architectures, APIs, and supporting infrastructure.
• Perform Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) using industry-standard tools.
• Conduct application spidering, fuzzing, and business logic abuse testing to identify vulnerabilities.
• Execute Web Application Penetration Testing against modern frameworks (e.g., React, Angular, , Django, Flask, .NET Core).
• Test APIs using REST and GraphQL fuzzing, schema validation, and security automation.
• Identify and validate vulnerabilities such as:
• OWASP Top 10
• Business Logic flaws
• API Security vulnerabilities (OWASP API Top 10)
• Authentication and authorization weaknesses
• Deserialization and injection flaws
• Conduct manual exploit validation beyond automated tool output to reduce false positives.
• Develop and maintain test automation scripts using frameworks like Burp Suite Extender API, ZAP scripting, and custom Python tools.
• Integrate security testing into CI/CD pipelines using GitLab CI, GitHub Actions, Jenkins, or Azure DevOps.
• Utilize SCA (Software Composition Analysis) tools to identify vulnerable dependencies (e.g., Snyk, Dependency-Check, Black Duck).
• Implement the Common Weakness Scoring System (CWSS) and assist in Common Vulnerability Scoring System (CVSS) ratings for prioritization.
• Generate technical reports and provide remediation guidance to developers, system owners, and ISSOs.
• Provide monthly and annual program metrics including trends in vulnerability classes, remediation timelines, and residual risk.

• Active DoD Secret security clearance
• 5 + years of progressive incident response experience
• DoD IAT II required certification/s (one of the following):  CCNA-Security, CySA+ (CSA+), GICSP, GSEC, Security+ CE,  CND, SSCP, GWAPT, OSWE, eWPT
• CSSP-AUrequired certification/s (one of the following): GSNA, CISA

• Required Tools & Hands-On Skills

  • Web Security Testing & Automation: Burp Suite Pro, OWASP ZAP, Postman, Fiddler, mitmproxy.
  • SAST/DAST: Checkmarx, Fortify, Veracode, SonarQube, Acunetix, AppScan.
  • SCA (Software Composition Analysis): Snyk, OWASP Dependency-Check, Black Duck, Mend.
  • Fuzzing & Exploit Development: AFL, Peach Fuzzer, boofuzz.
  • API Security Testing: Postman, Insomnia, ReadyAPI, Burp Suite extensions for GraphQL/REST.
  • CI/CD Security Integration: GitLab CI, Jenkins, GitHub Actions, Azure DevOps with security plugins.
  • Containers & Cloud Security (preferred): Docker, Kubernetes, AWS Inspector, Prisma Cloud. 

• Strong knowledge of the OWASP Top 10 and OWASP ASVS.
• Familiarity with CWE, NIST 800-53/171, and DISA STIGs.
• Hands-on experience with scripting languages (Python, Bash, PowerShell, JavaScript).
• Familiarity with DevSecOps practices and secure coding guidelines.
• Ability to communicate complex findings clearly to both technical and non-technical stakeholders.

Requirements of position:  Think analytically, effective verbal and written communication skills, make decisions, observe/remember details, interpret data, concentrate on tasks, adjust to change, handle stress/emotions.  Regular attendance, maintain work schedule, attend meetings, meet deadlines, keyboard/type, handle confidential information, use math/calculations, stay organized, operate office equipment, may direct others.   May be exposed to dust/dirt, humidity, and noise.

Foxhole Technology is an Equal Opportunity Employer and makes hiring decisions without regard to race, color, religion, sex (including pregnancy, childbirth and sexual orientation), national origin, age, disability, genetic information, military/veteran status, or any other protected class.