CMT Services Inc

Web Developer Security Engineer

CMT Services Inc · District of Columbia, United States

Business Consulting and Services · 51-200 employees

3 d ago
Mid (2-5 yrs) Full-time United States
Log in to apply, save this posting, or score it against your profile with AI.

About the role

Protects mission-critical web applications and APIs by embedding security throughout the software development lifecycle. Responsibilities include neutralizing vulnerabilities, performing threat modeling, and ensuring compliance with NIST, FISMA, and FedRAMP standards.

What they look for

Secure Software Development DevSecOps Vulnerability Remediation Log Analysis Web Application Firewall File Integrity Monitoring .NET REST APIs SQL Python JavaScript OWASP Top 10 CI/CD Pipeline Risk Assessment NIST SP 800-53 Cloud Infrastructure Security

Requirements

Requires a Bachelor's degree in a technical field and at least 3 years of experience in Web Application Security or secure SDLC. Proficiency in modern web technologies, DevSecOps automation, and security certifications like CSSLP, GWEB, or OSCP is expected.

Full description

ABOUT US:

CMT Services Inc. is a dynamic and small business supporting Federal, State, and Local government agencies. As an SBA-certified HUBZone, Woman Owned Small Business (WOSB), we deliver quality, professional services to support the missions and strategic business goals of our clients.

 

Position Title: Web Developer Security Engineer

 

Location:

US Congressional Budget Office

Ford House Office Building, 4th floor

2nd St SW, 441 D St SW

Washington, DC 20024

 

Period of Performance:

08/15/2026 - 08/14/2031

 

Place of Performance:

Remote work; however, at CBO’s discretion employees may be required to work on-site at CBO facilities 

Position Summary: 

Protects CBO’s mission-critical web applications, APIs, and sensitive data by embedding strong security throughout the software development lifecycle — making security a proactive, built-in part of design and delivery.

 

Key Responsibilities:

  • Identify, analyze, and neutralize critical vulnerabilities, logic flaws, insecure dependencies, and misconfigurations.
  • Drive the end-to-end vulnerability lifecycle — proactive threat modeling, advanced security assessments, and remediation validation.
  • Support integration of security controls into application architectures, APIs, and services; advise on secure design patterns, data protection, and secure communication protocols.
  • Obtain, review, and analyze web server and application logs to detect anomalies and indicators of compromise.
  • Implement automation scripts for threat-intelligence integration; support end-to-end response to web application security events.
  • Maintain documentation of findings, remediation steps, and security controls.
  • Ensure web applications and cloud infrastructure comply with NIST SP 800-53, FISMA, and FedRAMP (as applicable); participate in audits, risk assessments, and authorization.

 

Required Qualifications:

  • Extensive hands-on secure software development, DevSecOps automation, and vulnerability remediation.
  • Proficiency in log analysis, file integrity monitoring (FIM), and managing web application firewalls (WAF).
  • Minimum 3 years in Web Application Security, AppSec, or secure SDLC (SSDLC).
  • Development with modern web technologies and frameworks including .NET (C# MVC, WCF), HTML5, CSS3, JavaScript, REST APIs, and SQL.
  • Ability to leverage AI-assisted development tools (e.g., GitHub Copilot, OpenAI API/Codex) and scripting (Python, JavaScript/Node.js, Java, React.js, TypeScript) to automate security monitoring and compliance audits.
  • Strong understanding of OWASP Top 10, secure coding standards, and mitigation of common web vulnerabilities.
  • Deploying, tuning, and maintaining WAF solutions tailored to custom applications and traffic patterns.
  • Configuring/managing File Integrity Monitoring (FIM) for web content directories.
  • Familiarity with security testing tools — Wireshark, SIEM, IDS/IPS, NDR, or EDR.
  • Evaluating/recommending/implementing security controls for mobile device and mobile-web interfaces.
  • Performing complex risk assessments, analyzing cyber threats, and providing remediation guidance for core systems and dependencies.
  • Implementing DevSecOps principles — integrating security controls throughout the CI/CD pipeline.
  • Developing security metrics, managing compliance reporting, and auditing systems against baselines.
  • Effective cross-team collaboration and independent work; providing Tier II support for security operations.

 

Education:

  • Bachelor’s degree (or higher) in Computer Science, Cybersecurity, Information Systems, Engineering, or a related field.

 

Certification:

  • Specialized AppSec: CSSLP (Certified Secure Software Lifecycle Professional); GWEB (GIAC Certified Web Application Defender); CASE (EC-Council Certified Application Security Engineer).
  • Offensive Security: OSWE (OffSec Web Expert); OSCP (Offensive Security Certified Professional).
  • Foundational Security: Security+; GSEC.

Join Our Team:

 

At CMT Services, we believe that extraordinary results come from empowering exceptional people. If you're ready to lead innovative projects, solve complex challenges, and contribute to meaningful infrastructure development while advancing your career in a supportive, collaborative environment, we want to hear from you.

 

Disclaimer: 

By submitting your resume for this job posting, you authorize CMT Services, Inc. to forward your resume to all applicable internal and external managers, agencies, and recruitment personnel for review and consideration to hire.