Devsecops Engineer

PURETECH CODEX

Key Responsibilities

• Secure CI/CD Pipeline Design: Architect, design, and implement secure CI/CD pipelines integrating security checkpoints at every stage including code commit, build, test, deployment, and monitoring phases using tools like Jenkins, GitLab CI/CD, Azure DevOps, or GitHub Actions.
• Security Automation: Automate security testing processes including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), container scanning, and Infrastructure as Code (IaC) security validation throughout the development pipeline.
• Security Tool Integration: Integrate and configure security tools such as SonarQube, Snyk, Checkmarx, Veracode, OWASP ZAP, Aqua Security, Trivy, HashiCorp Vault, and vulnerability management platforms into automated workflows.
• Container and Kubernetes Security: Implement security controls for containerized environments including Docker image scanning, Kubernetes security policies, pod security standards, runtime protection, secrets management, and orchestration security.
• Cloud Security Implementation: Design and implement security controls for cloud platforms (AWS, Azure, GCP) including IAM policies, security groups, network segmentation, encryption, compliance monitoring, and cloud-native security services.
• Infrastructure as Code (IaC) Security: Develop and review secure infrastructure code using Terraform, CloudFormation, or Ansible, implement policy-as-code using tools like Open Policy Agent (OPA) or Checkov, and ensure infrastructure compliance.
• Vulnerability Management: Establish and manage vulnerability management programs including automated scanning, vulnerability prioritization, remediation tracking, SLA management, and integration with ticketing systems.
• Security Code Review: Conduct security-focused code reviews, identify security anti-patterns, provide secure coding guidance to development teams, and implement automated code quality and security gates.
• Client Consulting and Advisory: Engage directly with enterprise and multinational clients to assess current DevSecOps maturity, design security transformation roadmaps, provide strategic recommendations, and guide implementation of security best practices.
• Compliance and Governance: Ensure DevSecOps practices align with regulatory requirements and industry standards including ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR, and implement compliance-as-code frameworks
• Threat Modeling and Risk Assessment: Conduct application threat modeling, identify security risks in architecture and design phases, perform risk assessments, and recommend security controls to mitigate identified threats.
• Security Training and Enablement: Develop and deliver training programs for development and operations teams on secure coding practices, security tool usage, threat awareness, and DevSecOps methodologies.
• Incident Response Integration: Integrate security monitoring, logging, and alerting into DevOps workflows, implement SIEM integration, establish incident response playbooks, and support security incident investigations.
• Metrics and Reporting: Define and track DevSecOps metrics including mean time to remediate (MTTR), vulnerability density, security test coverage, and compliance status, and provide regular reporting to stakeholders and clients.

Technical Skills

• Strong expertise in CI/CD platforms including Jenkins, GitLab CI/CD, GitHub Actions, Azure DevOps, CircleCI, or Travis CI with experience building complex automated pipelines
• Advanced knowledge of containerization and orchestration using Docker and Kubernetes including security configurations, network policies, and runtime security
• Hands-on experience with security testing tools including SAST (SonarQube, Checkmarx, Fortify), DAST (OWASP ZAP, Burp Suite), and SCA (Snyk, WhiteSource, Black Duck)
• Proficiency in Infrastructure as Code tools such as Terraform, AWS CloudFormation, Azure ARM Templates, or Pulumi with security best practices
• Strong scripting and programming skills in Python, Bash, PowerShell, or Go for automation and custom tool development
• Deep understanding of cloud security for AWS, Azure, or GCP including IAM, KMS, security groups, VPC configuration, and cloud-native security services
• Experience with secrets management solutions such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or CyberArk
• Knowledge of container security tools including Aqua Security, Twistlock/Prisma Cloud, Trivy, Clair, or Anchore for image scanning and runtime protection
• Expertise in configuration management and automation tools like Ansible, Puppet, Chef, or SaltStack
• Strong understanding of application security including OWASP Top 10, secure coding practices, authentication/authorization mechanisms, and API security
• Experience with version control systems (Git, GitHub, GitLab, Bitbucket) and branching strategies for secure code management
• Proficiency in monitoring and logging tools such as Prometheus, Grafana, ELK Stack, Splunk, or cloud-native monitoring solutions
• Knowledge of policy-as-code and compliance automation using Open Policy Agent (OPA), Checkov, or Sentinel
• Understanding of Linux/Unix system administration and security hardening practices