POSITION SUMMARY
The QA Engineer / DevSecOps Analyst owns the quality and security pipeline for all TMS maintenance and programming deliverables. The contract imposes hard security scan obligations — 90-day mandatory scans, 10-business-day High-Threat remediation, static scan score maintained at 90 or above — that require a dedicated owner. This individual schedules and executes scans, triages results, coordinates remediation with developers, and ensures every SOW deliverable passes quality gates before staging for MoDOT acceptance. This position is not submitted as an Exhibit E biography but is critical to meeting the contract's measurable security SLAs.
KEY RESPONSIBILITIES
· Schedule, execute, and report all required 90-day security code scans for critical and external-facing TMS web applications; maintain static scan score 90 at all times (§2.3.7)
· Triage scan results: classify vulnerabilities by severity, assign ownership to developers, and track High-Threat remediation to closure within 10 business days (§2.3.7)
· Operate and maintain the CI/CD pipeline in Azure DevOps: configure build triggers, automated test execution, and gate controls that enforce quality and security standards before merge
· Develop and maintain automated test suites (unit, integration, regression) for the highest-risk TMS modules; expand coverage during SOW development
· Execute SOW quality gates: confirm unit, integration, and system test completion; document results with pass/fail criteria; prepare staging packages for MoDOT acceptance
· Participate in code review from a security and test-coverage perspective; flag testability or security concerns during architecture walkthroughs
· Track and report security and quality metrics to the Technical Program Manager weekly; produce monthly scan compliance evidence for Program Manager review before invoicing
· Ensure mirrored workstation environment at CEdge matches MoDOT's security scanning toolchain; coordinate tool updates within 30 days of MoDOT infrastructure change notifications
· Support ADA/Section 508 accessibility testing for all new and modified web-application deliverables
REQUIRED QUALIFICATIONS
· Minimum 3 years of software QA, test engineering, or application security experience
· Hands-on experience with static application security testing (SAST) tools (SonarQube, Veracode, Checkmarx, or equivalent)
· Experience with CI/CD pipeline configuration in Azure DevOps, Jenkins, or equivalent
· Experience writing and executing test plans, test cases, and regression suites for .NET web applications
· Ability to classify and triage CVSS-scored vulnerabilities and communicate remediation priorities to developers
· Ability to pass MoDOT background check
PREFERRED QUALIFICATIONS
· Minimum 1 year of experience similar to MoDOT's technical architecture (.NET, Oracle, Azure DevOps)
· Experience with OWASP Top 10 and secure coding practices in a .NET context
· CompTIA Security+, GIAC GWEB, or equivalent security credential
· Experience with accessibility testing tools for Section 508 compliance (WAVE, axe, NVDA)
· Missouri residency or St. Louis metro area location
· Experience managing scan schedules against contractual cadence requirements