DevOps Engineer

Long Term contract with chance to convert

REMOTE OPENING

Position Overview:

We are looking for a Senior DevSecOps Engineer to lead the integration of security across our entire software development lifecycle. As a senior member of the team, you will drive strategy, set standards, and implement robust, scalable security practices that ensure our development, infrastructure, and operations remain secure and compliant.

You will work closely with engineering, architecture, cloud, and security teams to implement secure-by-default solutions, build developer guardrails, and lead architecture security assessments (ASA) for mission-critical systems. This role demands deep technical expertise, strategic thinking, strong communication skills, and the ability to influence secure design and delivery at scale.

Key Responsibilities:

Strategic & Leadership Responsibilities

Define and champion the DevSecOps strategy and roadmap to align security with development velocity.

Mentor and guide engineers across Dev, Sec, and Ops on secure design, automation, and risk-based decision-making.

Lead threat modeling and architectural risk assessments for new products and major changes.

Establish metrics and KPIs for DevSecOps success and drive continuous improvement.

Core Technical Responsibilities

Shift Left Security: Embed security controls and tools into early-stage development workflows (IDE, code review, pre-commit hooks).

CI/CD Security Automation: Integrate security scanning (SAST, DAST, SCA) directly into CI/CD pipelines using tools like GitHub Actions, GitLab CI, or Jenkins.

Infrastructure as Code (IaC): Harden cloud infrastructure via IaC (Terraform, CloudFormation), with automated policy enforcement.

Security Testing: Implement and manage static and dynamic analysis tools to ensure secure code across repositories and services.

Policy as Code: Define and enforce organizational security policies using frameworks like OPA (Open Policy Agent), Sentinel, or custom rulesets.

Automated Security: Build automated pipelines for vulnerability scanning, compliance checks, and secret detection.

Continuous Monitoring & Logging: Deploy monitoring solutions for real-time threat detection (e.g., GuardDuty, CloudTrail, SIEM tools).

Architecture Diagrams: Create and maintain high-quality architecture and security diagrams for all commercial software platforms and systems.

Guardrails & Governance: Develop developer-facing security guardrails, including pre-approved patterns and automated feedback mechanisms.

Architecture Security Assessments (ASA): Lead ASA reviews for all significant changes, ensuring secure-by-design implementation.

Threat Modeling: Drive proactive threat modeling exercises across products and platforms.

Operational Security Focus

Web Application Firewalls (WAF): Design and maintain WAF rules and architecture (e.g., AWS WAF, Cloudflare).

API Gateway Security: Secure APIs at the gateway level with authentication, rate limiting, and input validation (e.g., AWS API Gateway, Kong, Apigee).

Inline Source Code Scanning: Integrate IDE plugins or Git hooks to scan code in real time and reduce feedback cycles.

Required Qualifications:

6+ years of hands-on experience in DevSecOps, Application Security, or Cloud Security engineering roles.

Deep understanding of secure software development, DevOps principles, and cloud-native architectures.

Proven experience with CI/CD tools and security automation.

Strong scripting and development skills in languages such as Python, Go, or Bash.

Experience designing and operating secure cloud environments (AWS, Azure, GCP).

Proficiency with IaC and configuration management tools (Terraform, Ansible, CloudFormation).

Strong knowledge of container security and orchestration tools (e.g., Kubernetes, Docker, Helm).

Demonstrated experience with enterprise security tooling for scanning, monitoring, and policy enforcement.

Skilled in creating detailed technical diagrams, security artifacts, and documentation.

Strong written and verbal communication skills to influence engineering and leadership teams.

Preferred Qualifications:

Industry certifications: CISSP, CSSLP, OSCP, GCP/AWS/Azure Security Specialist, or equivalent.

Experience with policy-as-code frameworks (OPA/Rego, HashiCorp Sentinel).

Hands-on experience with secrets management solutions (e.g., Vault, AWS Secrets Manager).

Familiarity with regulatory and compliance standards (SOC 2, ISO 27001, HIPAA, PCI-DSS).

Previous experience conducting red team/blue/purple team exercises or penetration testing or equivalent.