Senior AppSec Engineer - Burp Suite, Linux, & Custom Extensions

Senior AppSec Engineer - Burp Suite Enterprise, Linux, and Custom Extensions

Bring your own Burp extensions. We'll bring the Linux boxes.

About the Role

phia is hiring a Senior Application Security Engineer to join a small, highly technical AppSec team supporting a federal civilian client. This is a fully remote role within the United States. You will work directly alongside the government technical lead and our existing senior AppSec engineer as the third member of a tight-knit two-to-three person team operating inside a broader 19-person cybersecurity program.

This is a hands-on engineering seat, not a paper-pusher role. The client is a deeply technical Linux/Unix practitioner with strong DevSecOps and AppSec instincts who runs lean by design. We are looking for an engineer who can hold a peer-level technical conversation with him on day one, push back when warranted, and drive technical discussions with development and platform teams outside of security. If you live in a terminal, build your own tooling, and treat Burp Suite as an extensible platform rather than a point-and-click scanner, you will be at home here.

Who You Are

• A *nix native. You administer your own Linux servers from the command line every day and you do not reach for a GUI when bash, systemd, or a quick Python script will do.
• An AppSec specialist whose center of gravity is dynamic application security testing. Burp Suite Enterprise for automated DAST and Burp Suite Professional for manual verification are your primary instruments.
• A builder. You write custom Burp extensions, session handling rules, and macros to solve problems that the out-of-the-box product cannot. You convert ad-hoc Python and shell scripts into proper Ansible roles and playbooks without being asked twice.
• Energetic and direct. You lead technical discussions with application development, platform, and identity teams and translate AppSec findings into concrete remediation work.
• Naturally curious about AppSec and DevSecOps research, and you keep current through OWASP, security advisories, and hands-on lab work with new tooling and techniques.

What You Will Do

Burp Suite Enterprise (Primary Focus)

• Own day-to-day operations of the Burp Suite Enterprise DAST program: scan scheduling, agent and Linux infrastructure health, scan tuning, and result triage across multiple federal application environments.
• Configure and troubleshoot authenticated scans against modern web applications and APIs, including recorded login sequences (via the official Burp recorder Chrome extension), session-handling rules, and macro-based re-authentication.
• Diagnose and resolve Burp Enterprise scan failures end to end: consecutive audit-item failures, skipped insertion points, timeouts, session invalidation, and authentication state loss. You read scan logs and traces, not just dashboards.
• Extend Burp Suite Professional with custom extensions (Python/Java/Montoya API) to automate repetitive manual verification, custom authentication flows, and findings validation for the bug bounty program.
• Make Burp Enterprise work against authenticated APIs and applications that were designed for human authorization-code flows by adapting them to OAuth 2.0 client-credentials and other machine-to-machine patterns suitable for automated scanning.

Multi-Factor and Federated Authentication Scanning

• Design and implement authenticated scan workflows that survive multi-factor authentication, including SMS one-time passwords, TOTP tokens, hardware dongles, PIV and smart card client-certificate authentication, and SSO federation.
• Partner with the application and identity teams to provision dedicated lower-environment test accounts and authentication paths that allow continuous, hands-off DAST coverage.
• Clearly articulate and apply the distinctions between OAuth 2.0 authorization-code flow, client-credentials flow, SAML, and OpenID Connect when designing scan authentication strategies.

Linux Infrastructure and Automation

• Administer the AppSec team's own Linux infrastructure in AWS (currently EC2 with containerized Burp Enterprise components) and contribute to the migration to on-premise OpenShift.
• Convert legacy Python and shell tooling left behind by previous engineers into Ansible roles and playbooks; manage YAML, Dockerfiles, and Kubernetes manifests as code.
• Use CloudFormation for AWS infrastructure as code; comfortably operate at the Kubernetes and Linux CLI for routine tasks (disk usage with df, service status with systemctl, container lifecycle, log retrieval, and basic networking diagnostics).

CI/CD and DevSecOps Integration

• Integrate AppSec tooling into GitHub Actions workflows alongside Dependabot SCA, including the appropriate use of workflow_dispatch versus workflow_call patterns and reusable workflows.
• Work with development teams to embed scan gates and remediation feedback loops into existing CI/CD pipelines (GitHub Actions primary; Jenkins as encountered).

Supporting AppSec Programs

• Provide secondary support to the broader AppSec toolset: Veracode SAST, Contrast IAST for interactive scanning and runtime security testing, GitHub Advanced Security workflows, and the HackerOne bug bounty program (validating reported findings with Burp Suite Professional).
• Veracode SAST is part of the program but is not the primary focus of this position. This role is centered on Burp.

Required Qualifications

• 6+ years of hands-on application security engineering experience.
• Demonstrable, current expertise with Burp Suite Enterprise (DAST operations, scan authentication, troubleshooting) and Burp Suite Professional (manual testing, repeater, intruder, session handling).
• Strong Linux/Unix administration skills from the command line. Comfortable answering basic questions like "what command checks disk space" or "how do I check whether a service is running" without hesitation, and equally comfortable with more advanced diagnostics.
• Proficiency writing custom Burp extensions and security automation scripts in Python (and ideally Java for the Montoya API).
• Working experience with Kubernetes, Docker, and YAML-driven infrastructure.
• Experience with AWS CloudFormation (or equivalent IaC) and Ansible.
• Experience integrating security scanning into CI/CD pipelines using GitHub Actions, including reusable workflows and Dependabot.
• Demonstrated experience designing authenticated DAST scans against applications protected by SSO, MFA, OTP, or PIV/smart card authentication.
• Clear understanding of modern authentication and authorization protocols, including OAuth 2.0 flows (authorization-code, client-credentials, refresh tokens), SAML, and OpenID Connect.
• U.S. Citizenship and ability to obtain and maintain the required federal Public Trust clearance.

Nice to Have

• OpenShift administration experience, particularly migration of workloads from EKS or self-managed Kubernetes.
• Experience operationalizing Contrast IAST or another interactive application security testing platform.
• Experience supporting or validating findings from a managed bug bounty program (HackerOne, Bugcrowd, etc.).
• Active participation in AppSec or DevSecOps research, OWASP chapters, CTFs, or public security publications.
• Relevant certifications such as OSCP, OSWE, GWAPT, Burp Suite Certified Practitioner, CKA/CKS, AWS Security Specialty, or CISSP.

Work Environment

• Fully remote within the United States.
• Standard work day is 8.5 hours with a 30-minute lunch, starting at 8:30 AM EDT with the federal client daily stand-up. Hours are flexible around the stand-up and any scheduled client meetings.
• The client is generally on-site; the phia team is remote with occasional, well-coordinated on-site visits planned in advance.
• Small team: you will be one of two to three engineers focused on the AppSec work stream, with direct, daily collaboration with the government technical lead.

Why This Role

This is not a "fill a seat" AppSec position. The federal client expects, and phia needs, an engineer who can keep pace with a senior technical government lead, drive automation in a program that has historically relied on manual effort, and own the Burp Suite Enterprise program end to end. If the job description above reads like a list of things you have actually done - and enjoyed doing - we want to talk.