Principal DevSecOps Engineer (Security Operations)

Overview 

We are seeking a skilled DevSecOps Engineer to strengthen our software delivery pipelines with security best practices, automation, and continuous improvement. The ideal candidate will bridge the gap between development, security, and operations teams, ensuring that our infrastructure and applications are secure, scalable, and efficiently deployed. 

You'll be instrumental in building security guardrails that enable developers to move fast while maintaining robust security posture, creating "golden paths" that make secure choices the easy choices. 

Key Responsibilities 

1. Security Integration & Automation 

• Embed security practices into CI/CD pipelines (e.g., Azure DevOps, GitHub Actions). 

• Automate static and dynamic code analysis (SAST/DAST), dependency scanning, and container image scanning. 

• Implement and manage vulnerability scanning tools (e.g., SonarQube, Snyk). 

• Generate and maintain Software Bill of Materials (SBOM) for applications and container images using JFrog. 

• Manage JFrog for secure artifact repository management, binary promotion, and access control. 

• Build developer security tooling including IDE plugins, pre-commit hooks, and local scanning capabilities. 

• Ensure secure configurations across cloud environments and container platforms. 

2. Cloud & Infrastructure Security 

• Apply DevSecOps principles to cloud infrastructure (AWS, Azure, or GCP). 

• Utilize Wiz for cloud security posture management (CSPM), vulnerability management, and compliance monitoring across multi-cloud environments. 

• Implement Infrastructure as Code (IaC) security scanning using Terraform. 

• Enforce policy-as-code using frameworks like Open Policy Agent (OPA), Kyverno, Sentinel. 

• Manage secrets and credentials securely with tools like AWS Secrets Manager, or Azure Key Vault, or OCI Vault. 

• Design and implement network security controls including microsegmentation, network policies, and zero-trust principles. 

• Implement runtime security and threat detection using container runtime protection tools. 

• Monitor and respond to security incidents in CI/CD and production environments. 

3. Platform Engineering & Architecture 

• Build and maintain secure platform abstractions (golden paths) that enable developers to deploy securely by default. 

• Design and implement security reference architectures for common patterns (microservices, serverless, data pipelines, API gateways). 

• Implement service mesh security features including mTLS, traffic encryption, and policy enforcement. 

• Secure API gateways with authentication, authorization, rate limiting, and threat protection. 

• Manage supply chain security including artifact signing, registry security, and SLSA framework implementation. 

• Build security observability through metrics, dashboards, and security-focused SLIs/SLOs. 

4. Collaboration & Process Improvement 

• Partner with development and operations teams to identify and mitigate security risks early in the SDLC. 

• Participate in code reviews and architecture discussions to ensure security-by-design. 

• Support development teams in remediating vulnerabilities and implementing secure coding practices. 

• Build and lead security champions program to elevate security awareness across engineering teams. 

• Advocate for security automation and continuous improvement, translating security requirements into practical, developer-friendly solutions. 

• Mentor teams on secure development practices and modern security tooling. 

5. Compliance & Governance 

• Ensure alignment with security and compliance standards (ISO 27001, SOC 2, HIPAA, GDPR, PCI-DSS, etc.). 

• Contribute to threat modeling, risk assessments, and security architecture reviews. 

• Maintain audit trails and compliance documentation for deployment pipelines. 

• Implement and enforce security policies across the software delivery lifecycle. 

Qualifications 

Required 

• Bachelor's degree in Computer Science, Information Security, or related field (or equivalent experience). 

• 3+ years of experience in DevOps, Cloud Engineering, Security Engineering, or Platform Engineering. 

• Strong scripting and automation skills (Python, Bash, PowerShell, Go). 

• Hands-on experience with CI/CD tools (GitHub Actions, Azure DevOps). 

• Proficiency in containerization (Docker, Kubernetes) and related security tools. 

• Experience with cloud platforms (AWS, Azure, or Oracle) and IaC frameworks (Terraform). 

• Solid understanding of security principles, threat modeling, and the OWASP Top 10. 

Preferred 

• Certifications such as:  

• AWS Certified Security Specialty / DevOps Engineer 

• Azure Security Engineer / DevOps Expert 

• Certified Kubernetes Security Specialist (CKS) 

• CISSP, GIAC GSEC, or Certified DevSecOps Professional 

• Experience with Wiz or similar cloud-native application protection platforms. 

• Experience with JFrog platform for artifact management and software composition analysis. 

• Experience with policy-as-code frameworks (OPA, Kyverno, Sentinel). 

• Knowledge of supply chain security (SLSA framework, SBOM generation). 

• Experience with monitoring and logging tools (Prometheus, Grafana, Datadog). 

• Understanding of microservices architecture, service mesh, and API security. 

• Familiarity with runtime security. 

• Experience with incident response, SIEM platforms, or SOC processes. 

• Background in secure SDLC methodologies and threat modeling frameworks