Senior DevSecOps Engineer

About the position

The Senior DevSecOps Engineer at Innovative Defense Technologies (IDT) is responsible for ensuring the security and efficiency of software development and deployment processes. This role involves building a high-quality Secured Software Supply Chain (S3C) and requires a unique blend of skills in development, security, and operations. The successful candidate will work closely with senior leadership and a team of engineers to address complex challenges, mentor team members, and continuously improve DevSecOps practices.

Responsibilities

• Contribute to the development and maintenance of automation for provisioning and updating the S3C stack and Kubernetes-based deployments.
• Develop and maintain advanced automated security testing processes, including static code analysis, static application security testing (SAST), software composition analysis (SCA), and security scanning for containers and infrastructure.
• Integrate security checks at various stages of the CI/CD pipelines to ensure that security assessments are performed automatically during code build, testing, and deployment.
• Implement advanced security controls and best practices for cloud infrastructure, virtual machines, and container environments to safeguard against unauthorized access and data breaches in the S3C.
• Identify, prioritize, and remediate security vulnerabilities across the development and testing environments, coordinating with developers and operations teams to address critical issues promptly.
• Collaborate with internal Cyber/Compliance/SECOPs groups to ensure that software and infrastructure meet relevant security compliance standards and regulations, such as DISA STIGs.
• Manage access controls and permissions for users and applications, employing principles like least privilege and role-based access control (RBAC).
• Continuously evaluate and enhance DevSecOps practices, tools, and processes to adapt to evolving security threats and industry best practices.

Requirements

• Minimum 10 years of experience in DevOps/DevSecOps or full-stack software development and testing.
• B.S. in a software engineering field.
• Proven experience with containerization technologies like podman and Docker.
• Strong experience with virtualization (hypervisor) environments such as VMware.
• Advanced proficiency in Linux and Windows.
• Extensive experience in software development processes, version control systems (e.g., Git), and coding and scripting languages such as Python, Ruby, JavaScript, Shell scripting, etc.
• In-depth experience working with software development tools such as Jenkins, Maven, Gradle, Nexus, etc.
• Strong working knowledge of Dev[Sec]Ops and CI/CD practices.
• Experience with Infrastructure as Code (IaC) and automation tools such as Ansible or Puppet.
• Familiarity with various security concepts, vulnerabilities, and best practices.

Nice-to-haves

• Extensive experience in DevSecOps and CI/CD.
• Advanced experience with Infrastructure as Code (IaC) and automation software such as Ansible or Puppet.
• Experience with advanced security testing tools such as SAST, DAST, SCA, and other vulnerability scanning tools.
• Familiarity with container orchestration platforms like Kubernetes.
• Strong understanding of common security threats and how to mitigate them, as well as familiarity with security frameworks and standards like OWASP and NIST.
• Experience with industry-specific security compliance standards and regulations, such as DISA.
• Knowledge of network security concepts, firewalls, VPNs, and intrusion detection/prevention systems (IDS/IPS).
• Expertise in authentication mechanisms (e.g., OAuth, SAML) and authorization protocols (e.g., RBAC, ABAC).