Devsecops Engineer

Job Summary:
The DevSecOps Engineer integrates security practices into the DevOps process, ensuring that software development, deployment, and operations are secure from end to end.

Experience: 6-10 yrs

Required Skills:
Programming & Scripting
• Python, Bash, Go, Ruby, JavaScript
• Regular expressions for parsing and automation
Security Fundamentals
• Cryptography (TLS, SSL, encryption standards)
• Authentication & Authorization (OAuth2, SAML, JWT)
• Secure coding practices and OWASP Top 10
Cloud Security
• Identity and Access Management (IAM)
• Cloud-native security tools (e.g., AWS GuardDuty, Azure Security Center)
• Cloud workload protection platforms (CWPP)
Container & Orchestration Security
• Docker security best practices
• Kubernetes RBAC, Network Policies, Pod Security Standards
• Container scanning tools (e.g., Anchore, Sysdig)
Networking & Firewalls
• VPNs, proxies, load balancers
• Network segmentation and zero-trust architecture
Compliance & Auditing
• SOC 2, PCI-DSS, HIPAA, GDPR
• Audit logging and forensic analysis
Tools & Platforms
Security Testing
• Static Analysis: SonarQube, Semgrep, Fortify
• Dynamic Analysis: OWASP ZAP, Burp Suite
• Dependency Scanning: Snyk, WhiteSource, Mend.io
• Secrets Detection: GitLeaks, TruffleHog
CI/CD & Automation
• Jenkins, GitHub Actions, GitLab CI, CircleCI
• ArgoCD, Spinnaker
Cloud Platforms
• AWS, Azure, Google Cloud Platform (GCP)
• HashiCorp Vault (for secrets management)
• Terraform, Pulumi (Infrastructure as Code tools)
Monitoring & Logging
• Prometheus, Grafana
• ELK Stack (Elasticsearch, Logstash, Kibana)
• Splunk, Datadog
Vulnerability Management
• Qualys, Nessus, OpenVAS
• Prisma Cloud, Aqua Security
Identity & Access Management
• Okta, Auth0, AWS IAM
• Keycloak

Responsibilities:
1. Security Integration in CI/CD Pipelines
• Embed security checks (e.g., SAST, DAST, SCA) into continuous integration and deployment workflows.
• Automate vulnerability scanning and remediation.
2. Infrastructure as Code (IaC) Security
• Secure IaC templates (e.g., Terraform, CloudFormation).
• Implement policies to prevent misconfigurations and enforce compliance.
3. Monitoring & Incident Response
• Set up security monitoring tools (e.g., SIEM, IDS/IPS).
• Respond to security incidents and perform root cause analysis.
4. Threat Modeling & Risk Assessment
• Conduct threat modeling during design and development phases.
• Assess risks and recommend mitigation strategies.
5. Tooling & Automation
• Select and integrate security tools (e.g., SonarQube, Aqua Security, HashiCorp Vault).
• Automate security tasks to reduce manual effort and human error.
6. Compliance & Governance
• Ensure adherence to standards like ISO 27001, NIST, GDPR, HIPAA.
• Maintain audit trails and documentation for compliance.
7. Collaboration & Training
• Work closely with developers, operations, and security teams.
• Educate teams on secure coding practices and DevSecOps principles