DevSecOps Engineer

The Position:

The Information Security team is responsible for the oversight and execution of Enterprise’s Information Security, Business Continuity and Risk Management programs to support our business goals. This includes, but is not limited to security operations, vulnerability and patch management, incident response, disaster recovery, risk identification and mitigation planning / implementation, identity management, network security, privacy, and compliance.  In this role, you will build and develop platforms and solutions to streamline and enhance Security Engineering. You will often take part in design and code reviews and offer direction to ensure project scoping activities match architectural goals and specifications. In addition, partner closely with development teams to introduce security capabilities and processes into the software development lifecycle, while promoting a ‘Secure by Design’ approach. Lastly, you will work on cross-team projects, such as, threat surface reduction and vulnerability management.

Responsibilities of DevSecOps Engineer:

• Tool Selection and Implementation: Research, evaluate, and implement security tools and technologies to enhance, automate, or introduce new security capabilities organization. This includes, but not limited to, SCA, SAST, DAST, CI/CD, and additional Automation Tooling.
• Tool Integration & Automation: Develop automation scripts and integrate security tools into existing workflows to improve operational efficiency, reduce human error, and ensure continuous monitoring and mitigation of vulnerabilities.
• Develop and Build Solutions: Work within the security team to develop and build solutions that will move the organization forward in new ways. Partner with other technology teams to develop and build security controls.
• Automate to Scale: Leverage your background to identify processes and workflows to automate
• Security Monitoring: Continuously monitor the performance and effectiveness of deployed security tools and solutions, ensuring that they are configured optimally to detect and respond to emerging threats, vulnerabilities, and are performing as expected. Identify ways to make security transparent within the organization with Dashboards.
• Vulnerability Management: Collaborate with cross-functional teams to manage and prioritize vulnerabilities detected by the security team or within CI/CD security tools. Work with engineering teams to ensure timely patching, remediation, and secure configuration of systems.
• Application Security: Participate in code and architecture reviews, work with Product and Development teams to select secure and preferred development libraries. Provide guidance on secure application design patterns and collaborate with application teams identifying best practices within code. Help lead training requirements for secure coding practices within the organization.
• Data Correlation & Analysis: Use tools to gather and correlate data to identify potentially bad coding practices or designs.
• Incident Response: Support the incident response team by leveraging security tools to investigate, identify, and mitigate vulnerabilities or weaknesses that may have been exploited during an attack.
• Documentation & Reporting: Document tool configurations, processes, and procedures to ensure repeatability and maintainability of attack surface reduction initiatives. Provide regular reports and metrics to leadership on the status and effectiveness of security tools.
• Continuous Improvement: Stay up-to-date on the latest security trends, vulnerabilities, and new tools that can enhance attack surface reduction efforts. Recommend improvements and new technologies to continuously evolve the security program.
• Ideal candidate would also have experience with Public and Private Cloud, Container Orchestration, and a good understanding of Kubernetes and Docker. This role is perfect for someone seeking to establish and own a DevSecOps Program.

Requirements:

• Bachelor’s degree in Computer Science, Information Security, or a related field.
• 5+ years of experience in an Infrastructure, Security, DevOps/DevSecOps, with an Application Security or Software Engineering Background.
• Hands-on experience with Github, Github Actions, Containers, API(s), and Terraform. Familiarity with tools used in DAST, SAST, SBOM, and SCA Tools.
• Strong experience in configuring and integrating with on prem estates (e.g. Data centers) and multi-cloud environments (AWS, Azure, GCP).
• Knowledge of automation tools and scripting languages (Python, Bash, PowerShell, etc.) to automate workflows, integrate security tools, and build solutions.
• Experience assessing and hardening Kubernetes and Containers environments
• Experience integrating DevSecOps tooling into development pipelines to improve the security of internally developed software as well as Infrastructure as Code.
• Experience in implementing enterprise-wide vulnerability management solutions, including container-based vulnerability management.
• Self-starter who demonstrates strong ownership of their domain
• Interpersonal and collaborative skills and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
• High level of personal integrity, and the ability to professionally handle confidential matters.
• Natural passion for security and ownership, with strong drive to develop and identify solutions, while working to move projects and investigations to completion.