Software Security Engineer - Newport News - Caribou Thunder LLC

Description

Software Security Engineer (Java)

Mid:
$80,000 - $98,000 Senior: $100,000 - $169,000 Newport News, VA | Active Secret Clearance Required | On-Site Role Overview Safeguard mission-critical defense systems by securing Java-based software operating in classified environments. As a Software Security Engineer (Java), you will work hands-on with Java source code, performing static code analysis, identifying security vulnerabilities, and supporting remediation efforts across the secure software development lifecycle. This role is engineering-focused, not policy-only. You will collaborate directly with software developers, systems engineers, ISSOs, and network teams to strengthen the security posture of actively deployed and sustained Java applications supporting national defense missions. What You'll Do * Perform static security analysis of Java source code, identifying vulnerabilities and security weaknesses and clearly explaining findings to development teams. * Use Fortify and Software Security Center (SSC) hands-on to execute scans, analyze results, validate findings, and support vulnerability remediation. * Support secure software design by applying defense-in-depth principles across Java-based systems operating in classified environments. * Provide technical input to RMF activities, including vulnerability evidence, control implementation details, and remediation tracking (not policy ownership). * Conduct vulnerability assessments and security reviews in alignment with DoD requirements. * Apply and validate Security Technical Implementation Guides (STIGs) and configuration controls across systems and applications. * Monitor systems using ACAS and other DoD-approved tools to identify security risks and compliance gaps. * Participate in incident response and forensic analysis efforts as needed. * Collaborate closely with: * Software developers on secure coding and remediation * Systems engineers on architecture and control implementation * ISSOs and network teams on compliance and operational security * Produce clear technical documentation and briefings for both technical and non-technical stakeholders. * Mentor junior engineers and contribute to continuous improvement of security practices. Required Qualifications * U.S. Citizenship Active Secret clearance * Proven experience performing static security analysis of Java code * Must be able to read, understand, and explain Java logic and vulnerabilities * Hands-on experience using Fortify and Software Security Center (SSC) * CompTIA Security (DoD 8570 IAT Level II compliant) * Ability to work on-site full time in Newport News, VA (80-90% of work performed in a secure lab) * 2 years with a Bachelor's degree in Computer Science, Information Security, or a related discipline * Strong understanding of cybersecurity engineering principles and secure software implementation * Working knowledge of: * Risk Management Framework (RMF) controls and documentation * ACAS scanning, configuration, and reporting * STIG implementation and compliance enforcement * Industry frameworks such as NIST, NIST 800-53, and ISO 27001 * Strong analytical skills and the ability to clearly communicate technical findings Preferred Qualifications * Master's degree in Cybersecurity, Information Assurance, or related discipline * Advanced certifications (CISSP, CISM, CEH, OSCP) * Experience with additional languages such as C++ or Python in secure environments * Familiarity with cloud security, virtualized infrastructure, or zero-trust architectures * Experience supporting both active development and sustainment environments * Exposure to automated vulnerability scanning, SIEM tools, or advanced threat detection * Interest in emerging cybersecurity technologies within the defense sector Mid vs Senior Expectations * Mid-Level: Strong Java and security fundamentals with hands-on Fortify experience; capable of contributing immediately with guidance on RMF processes. * Senior-Level: Deeper technical ownership, mentorship of junior staff, and greater influence on secure design decisions and remediation strategy. Important Notes * This role is not a SOC analyst, ISSO, or cloud-only DevSecOps position. * Candidates must bring real Java security experience - not just tool exposure. * Classified, on-site work is a core requirement. Who is Caribou Thunder? Caribou Thunder is a HUBZone-certified small business providing advanced technical and engineering services to the U.S. Department of War and its mission partners. 35 states and 20 countries. We've delivered trusted solutions for over two decades - strengthening national readiness across missions on land, undersea, in the air, and throughout LEO, MEO, GEO, and deep space. Why Caribou Thunder? TEAM THUNDER

• Mission Focused.

Delivery Proven. Ready to Serve. * Employee Advocacy * Mission Proven * Global Reach * Skilled Teams * Modern Tools * Empowering Culture Our engineers and innovators ensure capability from sea floor to space frontier - delivering on time, maintaining compliance, and performing with precision in high-consequence environments. We specialize in Engineering Services, Cybersecurity, Software Development, Modeling & Simulation, Digital Engineering, and Artificial Intelligence - disciplines powering the nation's most complex technical missions. Employee Advocacy Benefits Our people are the heart of Caribou Thunder. We invest in their growth, flexibility, and well-being - knowing their success drives ours.


Benefits include:

• Premium Health, Dental & Vision Insurance 401(k) with 6% Company Match
• Flexible PTO & Work Schedule
• Education & Certification Reimbursement
• Support for Military Leave
• Work-Life Balance & Traditional Family Values Your future, your flexibility, your well-being - we invest in you. Apply and let's connectbfb3568a-762b b-a9682aa104ca