Senior AppSec Engineer - Burp Suite Enterprise, Linux, and Custom Extensions Bring your own Burp extensions. We'll bring the Linux boxes.
About the Role
phia is hiring a Senior Application Security Engineer to join a small, highly technical AppSec team supporting a federal civilian client. This is a fully remote role within the United States. You will work directly alongside the government technical lead and our existing senior AppSec engineer as the third member of a tight-knit two-to-three person team operating inside a broader 19-person cybersecurity program. This is a hands-on engineering seat, not a paper-pusher role. The client is a deeply technical Linux/Unix practitioner with strong DevSecOps and AppSec instincts who runs lean by design. We are looking for an engineer who can hold a peer-level technical conversation with him on day one, push back when warranted, and drive technical discussions with development and platform teams outside of security. If you live in a terminal, build your own tooling, and treat Burp Suite as an extensible platform rather than a point-and-click scanner, you will be at home here.
Who You Are
- A *nix native. You administer your own Linux servers from the command line every day and you do not reach for a GUI when bash, systemd, or a quick Python script will do.
- An AppSec specialist whose center of gravity is dynamic application security testing. Burp Suite Enterprise for automated DAST and Burp Suite Professional for manual verification are your primary instruments.
- A builder. You write custom Burp extensions, session handling rules, and macros to solve problems that the out-of-the-box product cannot. You convert ad-hoc Python and shell scripts into proper Ansible roles and playbooks without being asked twice.
- Energetic and direct. You lead technical discussions with application development, platform, and identity teams and translate AppSec findings into concrete remediation work.
- Naturally curious about AppSec and DevSecOps research, and you keep current through OWASP, security advisories, and hands-on lab work with new tooling and techniques.
- Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
- Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
- Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss. You read scan logs and traces, not just dashboards.
- Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
- Make Burp Enterprise work against authenticated APIs and applications that were designed for human authorization-code flows by adapting them to OAuth 2.0 client-credentials and other machine-to-machine patterns suitable for automated scanning.
- Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
- Partner with the application and identity teams to provision dedicated lower-environment test accounts and authentication paths that allow continuous, hands-off DAST coverage.
- Clearly articulate and apply the distinctions between OAuth 2.0 authorization-code flow, client-credentials flow, SAML, and OpenID Connect when designing scan authentication strategies.
- Administer the AppSec team's own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise OpenShift.
- Convert legacy Python and shell tooling left behind by previous engineers into Ansible roles and playbooks; manage YAML, Dockerfiles, and Kubernetes manifests as code.
- Use CloudFormation for AWS infrastructure as code; comfortably operate at the Kubernetes and Linux CLI for routine tasks (disk usage with df, service status with systemctl, container lifecycle, log retrieval, and basic networking diagnostics).
- Integrate AppSec tooling into GitHub Actions workflows alongside Dependabot SCA, including the appropriate use of workflow_dispatch versus workflow_call patterns and reusable workflows.
- Work with development teams to embed scan gates and remediation feedback loops into existing CI/CD pipelines (GitHub Actions primary; Jenkins as encountered).
- Provide secondary support to the broader AppSec toolset: Veracode SAST, Contrast IAST for interactive scanning and runtime security testing, GitHub Advanced Security workflows, and the HackerOne bug bounty program (validating reported findings with Burp Suite Professional).
- Veracode SAST is part of the program but is not the primary focus of this position. This role is centered on Burp.
- 6+ years of hands-on application security engineering experience.
- Demonstrable, current expertise with Burp Suite Enterprise (DAST operations, scan authentication, troubleshooting) and Burp Suite Professional (manual testing, repeater, intruder, session handling).
- Strong Linux/Unix administration skills from the command line. Comfortable answering basic questions like "what command checks disk space" or "how do I check whether a service is running" without hesitation, and equally comfortable with more advanced diagnostics.
- Proficiency writing custom Burp extensions and security automation scripts in Python (and ideally Java for the Montoya API).
- Working experience with Kubernetes, Docker, and YAML-driven infrastructure.
- Experience with AWS CloudFormation (or equivalent IaC) and Ansible.
- Experience integrating security scanning into CI/CD pipelines using GitHub Actions, including reusable workflows and Dependabot.
- Demonstrated experience designing authenticated DAST scans against applications protected by SSO, MFA, OTP, or PIV/smart card authentication.
- Clear understanding of modern authentication and authorization protocols, including OAuth 2.0 flows (authorization-code, client-credentials, refresh tokens), SAML, and OpenID Connect.
- U.S. Citizenship and ability to obtain and maintain the required federal Public Trust clearance.
- OpenShift administration experience, particularly migration of workloads from EKS or self-managed Kubernetes.
- Experience operationalizing Contrast IAST or another interactive application security testing platform.
- Experience supporting or validating findings from a managed bug bounty program (HackerOne, Bugcrowd, etc.).
- Active participation in AppSec or DevSecOps research, OWASP chapters, CTFs, or public security publications.
- Relevant certifications such as OSCP, OSWE, GWAPT, Burp Suite Certified Practitioner, CKA/CKS, AWS Security Specialty, or CISSP.
- Fully remote within the United States.
- Standard work day is 8.5 hours with a 30-minute lunch, starting at 8:30 AM EDT with the federal client daily stand-up. Hours are flexible around the stand-up and any scheduled client meetings.
- The client is generally on-site; the phia team is remote with occasional, well-coordinated on-site visits planned in advance.
- Small team: you will be one of two to three engineers focused on the AppSec work stream, with direct, daily collaboration with the government technical lead.
This is not a "fill a seat" AppSec position. The federal client expects, and phia needs, an engineer who can keep pace with a senior technical government lead, drive automation in a program that has historically relied on manual effort, and own the Burp Suite Enterprise program end to end. If the job description above reads like a list of things you have actually done - and enjoyed doing - we want to talk. |
Phia LLC
May 21, 2026