Application Security Engineer (Veracode) — Federal DevSecOps
Company: PHIA
Location: Fairfax, VA 22030 (Remote)
Type: Full-time
Remote: Yes
Posted: 2026-05-04
About this role
Status: Active – Funded Position; 4-year base + 2-year option periods
Location: Remote – U.S Only
Schedule: Full-time | Core hours 7:30 AM – 4:30 PM ET | Daily standup 8:30 AM ET | Flexible with advance notice
Focus Areas: Veracode (SAST/DAST), Burp Suite Enterprise, CI/CD Security Integration, Federal Application Security Testing
Overview
At phia we hire talented and passionate people who are focused on collaborative, meaningful work, providing technical and operational subject matter expertise and support services to our partners and clients. phia is seeking a mission-driven Application Security Engineer to act as a dedicated technical partner embedded within a federal agency’s AppSec team.
You will plan, administer, and triage application security testing workflows using Veracode and Burp Suite Enterprise, manage security integrations within a CI/CD pipeline, and serve as a technical resource for development teams navigating vulnerability remediation. You will work directly alongside federal clients and a small, experienced AppSec team in a fast-paced, technically driven environment where clear communication and autonomous execution are expected every day.
What You’ll Do
- **Scan Operations:** Plan, schedule, and administer SAST and DAST scans using Veracode across a portfolio of federal web applications; manage scan frequency, result downloads, and client reporting.
- **Application Testing:** Conduct hands-on application security assessments using Burp Suite Enterprise — including proxy capture, authentication testing, repeater analysis, and manual verification of findings.
- **Finding Management:** Triage scan results to distinguish true positives from false positives; coordinate with development teams to verify that remediations are correctly implemented before closing findings.
- **CI/CD Security Integration:** Integrate and maintain security tooling within CI/CD pipelines using GitHub Actions; work with Dependabotand reusable ...