DEVSECOPS & APPLICATION SECURITY
Description:
Key Responsibilities
Security by Design: Embed security requirements into CI/CD pipelines, infrastructure-as-code (IaC), and application architectures.
Automation & Tooling: Configure and maintain security scanning tools (SAST, DAST, SCA, container scanners) within automated build and deployment workflows.
Vulnerability Management: Triage, prioritize, and remediate vulnerabilities discovered in code, containers, and cloud environments; drive fixes and track metrics.
Incident Response Support: Assist in investigation of security incidents related to applications or infrastructure; write playbooks and run tabletop exercises.
Infrastructure Security: Implement and enforce secure configuration and hardening standards for cloud platforms (AWS, Azure, GCP) and Kubernetes clusters.
Policy & Compliance: Define, document, and enforce security policies, standards, and guidelines aligned with industry frameworks (OWASP, CIS Benchmarks, NIST).
Threat Modeling & Risk Assessment: Lead or participate in threat modeling sessions for new features; provide risk-based recommendations.
Training & Evangelism: Conduct security awareness workshops for developers and DevOps teams; champion "shift-left" security culture. Required Qualifications
Experience: 5+ years in DevSecOps, cloud security, or application security roles.
Security Toolchain: Hands-on with static analysis (e.g., SonarQube, Fortify), dynamic analysis (e.g., ZAP, Burp Suite), software composition analysis (e.g., Snyk, Black Duck), and container scanning (e.g., Clair, Trivy).
CI/CD Integration: Expertise automating security gates in Jenkins, GitLab CI/CD, GitHub Actions, or equivalent.
Cloud & IaC: Proficiency with AWS/Azure/GCP security services, Terraform/CloudFormation, and Kubernetes security (PodSecurityPolicy, OPA/Gatekeeper).
Programming/Scripting: Strong skills in Python, Go, or Bash for automation and custom tool development.
Standards & Frameworks: Deep understanding of OWASP Top 10, CIS Benchmarks, NIST 800-53/800-190.
Vulnerability Management: Solid experience with vulnerability scanners (Nessus, Qualys) and issue-tracking systems. Preferred Qualifications
Certifications: CISSP, CSSLP, GCP Professional Cloud Security Engineer, AWS Security Specialty, or equivalent.
DevOps Background: Prior hands-on experience in software development, infrastructure engineering, or platform engineering.
Container Security: Familiarity with service meshes (e.g., Istio), runtime protection tools (e.g., Falco), and supply chain security (e.g., Sigstore).
Threat Client & Red Teaming: Experience with penetration testing, threat intelligence feeds, or purple-team exercises.