Senior AppSec Engineer – Burp Suite, Linux, Custom Extensions

Remote Full-time
Job Description:
• Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
• Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
• Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss.
• Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
• Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
• Administer the AppSec team’s own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise OpenShift.
• Convert legacy Python and shell tooling left behind by previous engineers into Ansible roles and playbooks; manage YAML, Dockerfiles, and Kubernetes manifests as code.
• Integrate AppSec tooling into GitHub Actions workflows alongside Dependabot SCA, including the appropriate use of workflow_dispatch versus workflow_call patterns and reusable workflows.
• Provide secondary support to the broader AppSec toolset: Veracode SAST, Contrast IAST for interactive scanning and runtime security testing, GitHub Advanced Security workflows, and the HackerOne bug bounty program (validating reported findings with Burp Suite Professional).

Requirements:
• 6+ years of hands-on application security engineering experience.
• Demonstrable, current expertise with Burp Suite Enterprise (DAST operations, scan authentication, troubleshooting) and Burp Suite Professional (manual testing, repeater, intruder, session handling).
• Strong Linux/Unix administration skills from the command line.
• Comfortable answering basic questions like "what command checks disk space" or "how do I check whether a service is running" without hesitation, and equally comfortable with more advanced diagnostics.
• Proficiency writing custom Burp extensions and security automation scripts in Python (and ideally Java for the Montoya API).
• Working experience with Kubernetes, Docker, and YAML-driven infrastructure.
• Experience with AWS CloudFormation (or equivalent IaC) and Ansible.
• Experience integrating security scanning into CI/CD pipelines using GitHub Actions, including reusable workflows and Dependabot.
• Demonstrated experience designing authenticated DAST scans against applications protected by SSO, MFA, OTP, or PIV/smart card authentication.
• Clear understanding of modern authentication and authorization protocols, including OAuth 2.0 flows (authorization-code, client-credentials, refresh tokens), SAML, and OpenID Connect.
• U.S. Citizenship and ability to obtain and maintain the required federal Public Trust clearance.

Benefits:
• Fully remote within the United States.
• Standard work day is 8.5 hours with a 30-minute lunch, starting at 8:30 AM EDT with the federal client daily stand-up.
• Hours are flexible around the stand-up and any scheduled client meetings.
• Small team: you will be one of two to three engineers focused on the AppSec work stream, with direct, daily collaboration with the government technical lead.

Apply tot his job

Apply To this Job
Apply Now →

Similar Jobs

Experienced Registered Behavior Technician for In-Home ABA Therapy - Atlanta, GA

Remote

Immediate Hiring: Experienced Registered Behavioral Technician (RBT) for Clinic-Based ABA Therapy Services

Remote

Experienced Registered Behavioral Technician (RBT) - ABA Therapy for Children with Autism Spectrum Disorder

Remote

Experienced Registered Nurse - Telehealth: Providing Remote Care Coordination and Patient Support

Remote

Experienced Substitute Teacher for Riverside County Schools - Join Scoot Education's Innovative Team

Remote

Experienced Substitute Teacher for San Bernardino County - Flexible Schedules & Competitive Pay

Remote

Experienced School Year Instructional Coach for High-Dosage Tutoring Programs in Edgewater Park, NJ

Remote

Experienced School Year Tutor for K-8 Students in Math and Literacy - Mickleton, NJ

Remote

Experienced Secondary Social Studies Teacher for Kansas - Flexible Hybrid Remote Arrangement

Remote

USPS Office Helper

Remote

Systems Engineer | North America | Europe | Fully Remote

Remote

Online Customer Service Specialist

Remote

Experienced Full-Time and Part-Time Work at Home Customer Service Agent for Blithequark – Delivering Exceptional Customer Experiences through Remote Support

Remote

[Work From Home] Remote ESL Teacher for 3rd Grade

Remote

Remote Account Manager, Costco - Unlock Your Potential with a Leading Confectionery Distributor

Remote

Senior API Engineer (Remote Opportunity)

Remote

Trucking Dispatcher (Reefer • Dry Van • Power Only) – Remote (Priority: Illinois, USA)

Remote

Lead Software Engineer (Microsoft Technologies)

Remote

Legal Transcriptionist - US

Remote

Marketing Implementation Coordinator

Remote
← Back