Sr. DevSecOps Engineer

DevSecOps Engineer Job Description

Kaseya is seeking a DevSecOps engineer to execute security initiatives across the enterprise. This person is a technical contributor who will build and maintain infrastructure focused security solutions. This individual will be responsible for planning, coordinating, and executing initiatives that improve the security posture of Kaseya. To fulfil the job requirements, maintaining relationships between other departments is a must, including Information Security and Software Engineering.

An ideal candidate for this role is a DevSecOps Engineer with a passion for security. This person must have effective communication and project management skills. An ideal candidate would also need the ability to work autonomously and have a mind and motivation for continuous improvement.

The individual will work on a wide variety of interesting technical problems, operate at scale in an environment with over an exabyte of data, have opportunities to green field solutions, and operate with both autonomy and empowerment from senior leadership.

Roles and Responsibilities

• Security Testing and Analysis: performs regular security testing and analysis to identify vulnerabilities in the software development process. This includes conducting code reviews, penetration testing, and vulnerability scanning.
• Secure Infrastructure: ensures that the infrastructure used by the development team is secure. This includes configuring secure servers, monitoring security logs, and ensuring that security protocols are followed.
• Security Compliance: ensures that the development process adheres to security compliance standards, such as PCI-DSS, HIPAA, and GDPR.
• Security Automation: automates security processes, such as vulnerability scanning and code analysis, to ensure that security is integrated into the development process from the beginning.
• Security Education and Training: provides education and training to the development team to ensure that they are aware of security best practices and can implement them in their work.
• Incident Response: responds to security incidents, such as data breaches or cyber-attacks, by investigating and remedying the issue.
• Risk Assessment: performs risk assessments to identify potential security threats and develops mitigation strategies to reduce the risk of security breaches.
• Collaboration: works closely with the development team, operations team, and security team to ensure that security is integrated throughout the deployment process.

Knowledge & Experience

• Familiar with cloud platforms such as AWS, Azure DevOps, OpenStack and GCP. Understand how to secure cloud resources and how to integrate security into cloud-based applications.
• Experience with provisioning and automation using tools like Terraform, CloudFormation, Ansible, Puppet and OpenStack.
• Familiar with Continuous Integration/Continuous Deployment (CI/CD) Tools like AzureDevOps, Jenkins, CircleCI, GitLab, Travis CI.
• Experience with Security tools and concepts used in all processes from SDLC to pipeline deployment. Technologies include SAST, DAST, Linting, Secret Scanning, Pipeline job templating, repo management.
• Familiar with Source Code Management (SCM) tools like AzureDevOps, Bitbucket, GitHub, GitLab. Understand how to configure these tools to automate the testing and deployment of code while integrating security measures.
• Familiar with containerization technologies including Docker, PodMan, OpenShift and Kubernetes.
• Experience with infrastructure vulnerability scanners such as Nessus, Qualys, or OpenVAS. Understand how to use these tools to identify and remediate vulnerabilities in applications and infrastructure.
• Familiar with logging, SIEM and metrics tools such as Splunk, ELK Stack, Prometheus, Grafana, Kubernetes Logging,etc.
• Experience with programming languages such as Bash, Python3, Ruby, Golang and PHP. They should be able to write code to automate security processes and integrate security into the overall development process.
• Familiar with encryption and key management tools: AWS KMS, Azure Key Vault, Google Cloud KMS, Hashicorp Vault, Kubernetes Secret Management
• Experience Identity and Access Management (IAM): Okta, AWS IAM, Azure Active Directory, SAML
• Familiar with code analysis tools like Linters, SonarQube, Snyk, Checkmarx, StackRox, etc.
• Experience with web application firewall (WAF) tools on prem and in cloud, and assisting in tuning them on a per application basis.

General Qualifications and Experience

• Experience with driving cross-organizational changes.
• Default security-focused mindset.
• Ability to work effectively under pressure in a fast-paced environment.
• Good troubleshooting instincts and the ability to quickly triage / perform root-cause analysis.
• The desire and capability to see a problem through to completion.
• Ability to quickly acquire new skills and thrive in a team-based environment.
• Agility in an environment that requires rapid iteration and pivoting.
• Professional, courteous, and positive attitude.
• Great Project management skills with the capability to manage concurrent initiatives.
• Five plus years of experience with CI/CD platforms.
• Three plus years of experience securing applications via CI/CD pipelines leveraging static code analysis, unit and integration testing, dependency analysis, etc.
• Three plus years of experience performing threat and security design reviews.
• Three plus years of experience with containers.
• Three plus years of experience as a Software Engineer developing and maintaining an application.
• Five plus years of experience with Linux administration (full stack or DevOps experience counts).

Expectations

• Strong written and verbal communication skills, with a passion for documentation.
• Works effectively under pressure in a fast-paced, dynamic environment.
• Strong work ethic and an insatiable desire to learn.
• It thrives in a team-based environment leaving ego at the door.
• Performs other related duties as assigned.
• Off hours/on-call support required.
• Continuously strive for the betterment of engineering at Kaseya.
• Ensure that security concerns are accounted for in every step of the build chain.
• Work with Kaseya engineers to identify workflow pain points and develop their solutions.
• Engineer continuous delivery pipelines that are secure, stable, maintainable, and scalable.
• Develop and enforce security standard methodologies, processes, and tools.
• Be the bridge between security, software and systems engineering.
• Identify trends in need of a larger solution, beyond the scope of the immediate problem.
• Design and champion best security practices within the organization.
• Solve complex and challenging problems with simple, maintainable, and scalable solutions.