SecOps Engineer

This role is part of application security engineering team responsible for scanning code
established guidelines, secure development policies and
procedures. This role will focus heavily on building and enhancing Software Composition
Analysis (SCA) practice, help software developers at various Wells Fargo CIO teams to
build faster, more securely, fine-tuning the tools, leveraging AI where possible to
improve processes and services for optimal developer experience.

Candidates must have experience with either Checkmarx or Blackduck tool!

Key Responsibilities:
 Managing security automation tools with focus on SCA (i.e. Checkmarx One,
BlackDuck) and other tools in the ecosystem along with supporting operational
management with regularly scheduled upgrade of the tools.
 Interface with various internal teams ServiceNow AVR, DevOps and vulnerability
operations team to make sure SCA vulnerabilities are identified and recorded per
the application security policies and guidance.
 Collaborate with security architecture teams to design vulnerability management
workflow, establish best practices and design guidance to optimize experience
for developers
 Security training and outreach as needed for internal development teams
 Adversarial security analysis on various application security requirements as
requested from various CIO teams, research and recommend cutting-edge tools
and industry best practices.
 Work with application security governance teams, risk & compliance partners on
audits (e.g., SOC 2, PCI-DSS) and recommending relevant policies.
 Collaborate with CTO pipeline teams to improve code quality and vulnerability
detection on OpenSource, code signing and SBOM creation
 Analyze, enhance, architect and support container security tools and platforms
 Design and build advanced security solutions to strengthen open source software
supply chains for effective automation and management.

Required Qualifications:
 5+ years of Information Security Engineering experience, or equivalent
demonstrated through one or a combination of the following: work experience,
training, military experience, education

 5+ years of experience as Application Security and DevSecOps engineer,
collaborating with developers to adopt and mature secure development
 3+ years experience in one or more of programming languages, .Net, C#, Java,
RUST, C++

Desired Qualifications:
 Ability to write automation scripts in Python, PowerShell to support internal
projects
 Experience with CI/CD pipelines and related technologies (e.g., GitHub, Jenkins,
Maven, Artifactory, Harness, Xray, Curation)
 Good understanding of Secure Software development lifecycle
 Strong knowledge of OWASP Top 10 or CWE
 Detailed oriented must be able to create documentation on different SCA
procedures and tool configuration
 Familiarity and experience with AI tools supporting false positives reduction, auto
code remediation, open-source threat intelligence would be preferred.
 Experience with Jira/Confluence
 Strong problem-solving and analytical skills
 Certification in information security (CISSP, CISM, CEH, etc.)
 Experience with container security working with technologies like k8s and
container technologies such as Openshift
 Experience generating Software Bill of Materials (SBOMs) using CycloneDX or
SPDX, managing or utilizing dependency track