DevSecOps Engineer/Lead

As a DevSecOps Engineer, you will bridge the gap between development, operations, and information security. Reporting to the Application Security Lead, you will architect, maintain, and scale security automation across our software development lifecycles (SDLC). Your primary mandate is to shift security left by embedding SAST, DAST, and SCA tools directly into modern CI/CD pipelines, eliminating security bottlenecks and ensuring continuous code compliance.

• Pipeline Security Automation: Integrate and manage static, dynamic, and software composition analysis tools into continuous integration and continuous deployment (CI/CD) pipelines.
• Tooling Optimization: Own, configure, and fine-tune AppSec platforms including Checkmarx, Semgrep, Snyk, and SonarQube to minimize false positives and maximize actionable alerts.
• Automated & Manual DAST: Configure automated dynamic scanners and leverage Burp Suite Professional for targeted security testing on APIs and web services.
• Vulnerability Remediation & Triage: Act as the primary technical point of contact to triage code vulnerabilities, providing clear remediation guidance and proof-of-concept fixes directly to engineering teams.
• Open Source Security (SCA): Utilize Snyk and similar tools to monitor open-source dependencies, license compliance, and third-party software supply chain vulnerabilities.
• Policy Enforcement: Define automated gatekeeping thresholds (e.g., failing builds for critical/high vulnerabilities) within the deployment pipeline based on internal security policies.

• Experience: 4+ years of experience in DevOps, software engineering, or application security, with at least 2+ years dedicated exclusively to DevSecOps practices.
• Tooling Command: Proven, deep technical proficiency with the following tools:
• SAST: Checkmarx, Semgrep, SonarQube
• SCA & Container Security: Snyk
• DAST / Pen-testing: Burp Suite Professional
• CI/CD Ecosystems: Extensive experience building automation plugins and pipelines in GitHub Actions, GitLab CI, Jenkins, or Bitbucket Pipelines.
• Infrastructure as Code (IaC): Solid understanding of cloud-native infrastructure, containerization (Docker, Kubernetes), and secure IaC deployment (Terraform).
• Development Background: Ability to read and understand code snippets across multiple languages (e.g., Python, Java, Go, Node.js).
• Certifications: Certifications such as Certified DevSecOps Professional (CDP), Practical DevSecOps (CDEP), or CSSLP are highly preferred

Join us as we make magic happen to increase Indonesia’s financial inclusion!