Application Security Engineer (Fortify)

DevSecOps / Application Security Engineer (Fortify & Azure DevOps)
Contract | 2–3 Months | 40 Hours/Week | Fully Remote Overview
We are seeking a hands-on Application Security / DevSecOps Engineer with a strong software development background to support a short-term engagement focused on implementing and configuring application security scans using the Fortify scanning platform within an Azure DevOps CI/CD environment.
This role is ideal for someone who can bridge development and security, understands how modern pipelines work, and can translate technical implementations into clear, reusable documentation. Responsibilities
Application Security & Scan Implementation

• Design, configure, and implement Fortify static (SAST) scans within Azure DevOps pipelines
• Integrate Fortify scanning into existing CI/CD workflows (build, test, deploy stages)
• Configure scan parameters, rulesets, thresholds, and policies aligned to best practices
• Optimize scans for performance, accuracy, and minimal pipeline disruption
• Troubleshoot scan failures, false positives, and pipeline integration issues
• Support initial scan execution and validation across multiple codebases

DevSecOps & Engineering Collaboration

• Work closely with software engineers to:
  • Align scanning with development workflows
  • Ensure scans are developer-friendly and actionable
• Provide guidance on secure coding practices and vulnerability remediation
• Help define "shift-left” security patterns within Azure DevOps

Documentation & Knowledge Transfer

• Create clear, well-structured best-practice documentation, including:
  • Fortify scan setup and configuration guides
  • Azure DevOps pipeline integration instructions
  • Standard operating procedures (SOPs) for running and maintaining scans
  • Guidance for developers on interpreting scan results
• Produce documentation suitable for:
  • Engineering teams
  • Security teams
  • Future onboarding and sustainment

Required Qualifications
Technical Skills

• Strong background in software development (Java, C#, JavaScript, Python, or similar)
• Hands-on experience with Fortify application security scanning (SAST required)
• Proven experience configuring Azure DevOps pipelines
  • YAML pipelines preferred
  • Build and release pipeline familiarity
• Understanding of CI/CD, DevSecOps, and secure SDLC practices
• Experience working with:
  • Static code analysis tools
  • Vulnerability findings and remediation workflows

Documentation & Communication

• Demonstrated ability to write clear, concise technical documentation
• Comfortable explaining security concepts to developers
• Strong written and verbal communication skills

Preferred / Nice-to-Have Qualifications

• Experience with:
  • Fortify Software Security Center (SSC)
  • Policy enforcement and security gates
  • DAST or SCA tools
• Familiarity with:
  • OWASP Top 10
  • NIST or secure coding standards
• Experience in enterprise or regulated environments (government, healthcare, finance)

Engagement Details

• Duration: 2–3 months
• Schedule: ~40 hours per week
• Location: Fully remote (U.S. based preferred)
• Engagement Type: Contract / Project-based
• Start: ASAP

Ideal Candidate Profile (Summary)
✔ Software engineer who understands CI/CD
✔ Hands-on with Fortify scanning tools
✔ Comfortable working independently on a defined project
✔ Able to implement solutions and document them clearly
✔ Pragmatic, security-minded, and developer-friendly


Marathon TS is committed to the development of a creative, diverse and inclusive work environment. In order to provide equal employment and advancement opportunities to all individuals, employment decisions at Marathon TS will be based on merit, qualifications, and abilities. Marathon TS does not discriminate against any person because of race, color, creed, religion, sex, national origin, disability, age or any other characteristic protected by law (referred to as "protected status").