Mid-level Vulnerability Assessments & Infrastructure Specialist - Vulnerability & Attack Surface Management (VASM)

About The Position

Requirements

• 5+ years of experience with vulnerability scanning concepts and best practices, and operating enterprise vulnerability assessment platforms such as Rapid7, Tenable, or Qualys
• 5+ years of experience with Linux and/or Windows Security
• 5+ years of experience troubleshooting foundational networking issues (TCP/IP, DNS, routing, firewalls) and performing network scanning and assessments
• 5+ years of experience analyzing vulnerability findings, triaging true vs false positives, and identifying environmental limitations or compensating controls
• 5+ years of experience managing scan configurations, credentials, schedules, and assessment scope within large or distributed environments

Nice To Haves

• Active Security+, Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), or vendor/tool-specific certifications
• Experience with application security exposure (SAST/DAST/SCA) and ability to ingest or correlate AppSec findings with infrastructure vulnerabilities
• Experience integrating vulnerability management with AppSec pipelines and DevSecOps toolchains (Continuous Integration/Continuous Deployment (CI/CD) integration, SCA, container scanning)
• Experience with Boeing subsidiaries, mission domains, and supply chain considerations (e.g., Boeing Commercial Airplanes, Boeing Defense & Space, Boeing Global Services, and common subsidiary/supplier systems)
• Experience with vulnerability risk rating methodologies (Common Vulnerability Scoring System (CVSS), Cybersecurity and Infrastructure Security Agency (CISA) Stakeholder-Specific Vulnerability Categorization (SSVC), or organization-specific risk models) and threat intelligence correlation
• Experience scaling or architecting vulnerability management programs in large enterprises and integrating with ticketing/ Configuration Management Database (CMDB) systems (e.g., ServiceNow)
• Experience with cloud environments and cloud-native scanning challenges (Amazon Web Services (AWS)/Azure/Google Cloud Platform (GCP)) and containerized workloads
• Experience enabling self-service vulnerability dashboards and automated exports for business and subsidiary teams
• Experience with regulated or compliance-driven environments and supporting audit or risk frameworks (e.g., National Institute of Standard Technology (NIST), International Organization for Standardization (ISO))

Responsibilities

• Operate and optimize enterprise vulnerability assessment platforms and AppSec integrations to identify, validate, and prioritize security findings across infrastructure and applications
• Perform technical exploitability analysis and business-impact assessments
• Translate findings into prioritized, operationally feasible remediation actions for engineering, Information Technology (IT), and operations teams
• Contribute to development and operationalization of assessment playbooks, scanning standards, AppSec scanning pipelines (Static Application Security Testing/Software Composition Analysis/Dynamic Application Security Testing (SAST/SCA/DAST), reporting, and automation to improve detection fidelity and remediation velocity
• Execute enterprise processes for scheduled and emergent vulnerability assessments, including infrastructure and application discovery, authenticated scanning, and targeted assessments
• Configure, tune, and maintain vulnerability scanning platforms and AppSec integrations (e.g., Rapid7, Tenable, Qualys, Snyk, Veracode), manage credentials, scopes, schedules, and scan policies
• Investigate findings to distinguish true positives from false positives and to identify environmental/configuration constraints, including container, cloud, and legacy systems
• Correlate vulnerability scanner output with threat intelligence, application findings (SAST/DAST/SCA), and asset criticality to produce contextualized risk ratings and remediation priorities
• Assess exploitability, potential for lateral movement, and operational impact for infrastructure, middleware, and application vulnerabilities
• Create remediation plans and work with system owners, application teams, and subsidiary stakeholders to coordinate fixes, compensating controls, and risk-accepted outcomes
• Track remediation burndown, Service Level Agreements (SLAs), and closure
• Escalate high-risk items and produce executive and technical reports tailored to stakeholder audiences
• Collaborate with VASM, AppSec, DevSecOps, engineering, and IT teams to operationalize new scanning capabilities, integrate AppSec pipelines, and reduce noise through tuning and automation
• Contribute to continuous improvement
• Drive automation of ingestion/correlation pipelines, standardize playbooks and runbooks, and deliver training to remediation owners and subsidiary teams

Benefits

• Elements of the Total Rewards package include competitive base pay and variable compensation opportunities.
• The Boeing Company also provides eligible employees with an opportunity to enroll in a variety of benefit programs, generally including health insurance, flexible spending accounts, health savings accounts, retirement savings plans, life and disability insurance programs, and a number of programs that provide for both paid and unpaid time away from work.