Job Title: Application Security / Software Supply Chain Engineer (SBOM)
Location: Remote (Offsite-eligible, U.S.-based); occasional on-site support as required
Clearance Required: Active Secret clearance required — must be current and active at time of hire and maintained throughout employment (Tier 3 (T3) / IT-II).
Employment Type: Full-Time
Overview
Cornerstone Technology Enterprises is seeking experienced cybersecurity professionals to support a large Department of Defense enterprise cybersecurity program for our government customer. For this position, we are hiring a Software Supply Chain Security Engineer to secure the software supply chain and strengthen DevSecOps across a large application portfolio. If you care about knowing exactly what is in your software — every dependency, every component, every risk — and stopping vulnerable code before it ships, this role is built for you.
This is a remote-eligible role on the Cybersecurity Division’s software security team. Day to day, you will manage Software Bill of Materials (SBOM) inventories, policies, and lifecycle data in tools such as Sonatype Repository Firewall and Sonatype SBOM Manager, run software composition and static/dynamic code analysis, track third-party dependency and provenance risk, and help development teams remediate findings and integrate security into their CI/CD pipelines — all in support of continuous authorization.
You’ll support one of the Department of Defense’s largest enterprise environments, spanning approximately 15,000 network and endpoint devices, hundreds of mission applications, and globally deployed identity management systems.
Candidates with an application security (AppSec), DevSecOps, software supply chain security, product security, or secure software development background are strongly encouraged to apply.
What You Will Do
Software Supply Chain & SBOM Management (~30%)
- Guide system owners on uploading and maintaining SBOMs for all applications, ensuring complete visibility into software components and dependencies
- Verify SBOMs are complete and maintained for every application release and within CI/CD pipelines
- Monitor and report on software supply chain posture — flagging vulnerable components, exploitable vulnerabilities, non-compliant software, and components in a block/divest state — and manage policy enforcement (e.g., Sonatype)
DevSecOps Security Integration (~25%)
- Provide expert guidance on configuring, using, and integrating application security tools within the development pipeline
- Develop and apply a risk-analysis framework for prioritizing code vulnerabilities (exploitability, impact, context, and mission criticality) and recommend automated-approval thresholds
- Establish processes for manual review of high-risk findings and for validating “Not Applicable” and false-positive determinations
Application Security Analysis & Remediation (~25%)
- Perform on-demand static and dynamic (SAST/DAST) scanning for applications that cannot yet integrate with the CI/CD pipeline, and deliver application security reviews
- Research security weaknesses and recommend remediation strategies, including easily exploitable findings, OWASP risks, and high mission-impact issues
- Support development teams on vulnerability remediation and prioritization, and review and approve POA&Ms with burndown and roadmap planning
Reporting, Metrics & Developer Enablement (~20%)
- Track the cumulative security impact of application changes (attack surface, new dependencies, control and data-flow changes) and produce quarterly posture reports with trend metrics
- Provide regular application security metrics, vulnerability trends, and remediation guidance to stakeholders
- Conduct outreach, training, and secure-coding enablement to help development teams adopt security tools and standards
Required Qualifications
- Active Secret clearance required (current and active at time of hire; Tier 3 (T3) / IT-II).
- U.S. citizenship (required for CAC and DoD network access)
- 4+ years of experience in application security, DevSecOps, or secure software development
- Hands-on experience with software composition analysis (SCA) and SBOM tooling (e.g., Sonatype, or equivalent SCA/SBOM platforms)
- Experience with static and dynamic application security testing (SAST/DAST) tools and interpreting their results
- Familiarity with CI/CD pipelines and integrating security tooling into them (e.g., GitLab, Jenkins, or similar)
- Working knowledge of the OWASP Top 10, common vulnerability classes, and risk-based prioritization
- Understanding of software dependencies, provenance, and open-source licensing risk
- CompTIA Security+ (or ability to obtain within 30 days of start) to meet the DoD 8140/8570 baseline
Preferred Qualifications
- Hands-on experience with Sonatype Repository Firewall and/or Sonatype SBOM Manager
- Experience with container security and image scanning (e.g., StackRox, Prisma/Twistlock, or similar)
- Familiarity with SBOM formats (SPDX, CycloneDX) and supply chain frameworks (SLSA, NIST SSDF / SP 800-218)
- Secure coding experience in one or more languages (Java, Python, C#, JavaScript, or similar)
- Alignment to DCWF Work Role 622 (Secure Software Assessor); certifications such as CSSLP, GWAPT, or related GIAC application security credentials
- Experience supporting continuous monitoring, vulnerability management, or DevSecOps in a federal/DoD environment
Why Join Cornerstone?
Cornerstone Technology Enterprises is a veteran-owned small business with deep experience supporting federal and defense missions. Our teams operate inside production environments, supporting systems that matter, while maintaining a culture that values trust, accountability, and technical excellence.
This role puts you at the front of the software supply chain, making sure the code and components that run a national-level DoD mission are known, trusted, and secure. It is a chance to shape DevSecOps practice across hundreds of applications and work hands-on with modern software security tooling.
Pay: $87,000.00 - $92,500.00 per year
Benefits:
- 401(k)
- 401(k) matching
- Dental insurance
- Employee discount
- Flexible spending account
- Health insurance
- Health savings account
- Life insurance
- Paid time off
- Retirement plan
- Vision insurance
License/Certification:
- CompTIA Security+ (Required)
Security clearance:
Work Location: Remote