Devsecops Engineer
standardchartered
Job Description
At least six years’ experience with:
- 2+ years of Information Security or engineering experience.
- 2+ years of direct experience in at least one Public Cloud (AWS or Azure).
- Work closely with Product Security, Engineering, Operations, and Corporate Security to define security strategy and execute on it. Implementing automation to enable developers to easily consume security services.
- Improve the accessibility of security through automation, continuous integration pipelines, and other means. Designing a secure application-release automation process to make security an integral part of the CI/CD pipelines.
- Enforce standard methodologies, processes and tools and ensure compliance to enterprise architecture, global information security policies and engineering strategy.
- Validate adherence to AWS and Azure governance standards for policy definitions, role-based access controls, ARM Templates, resource groups and Azure Blueprints.
- Identify security tools and lead operationalization of solutions from POC to Production, e.g. API Threat Protection, Container Security, etc. Streamline POC processes.
- Work with SRE and Engineering to implement a chaos-testing methodology and toolkit. Integrating security tools issue tracking with Jira.
- Implement automation to investigation and response workflows for Automated Incident Response.
- Interview, hire, and create on-boarding plans for new or transferred employees.
- Encourage others to seek opportunities for different and innovative approaches to addressing problems; facilitate the implementation and acceptance of change.
- Produce and streamline audit evidence.
- Stay current on threats, vulnerabilities, and controls.
- Familiarity with SecOps processes i.e., detection, monitoring, alerting and threat intelligence.
- Hands-On Proficiency in scripting and coding using Bash, Python, IaC (Terraform, Cloud formation, Azure ARM).
- Participate in the entire lifecycle of software development, including requirements analysis, design, development, testing, deployment, and maintenance. (Tools like Junit, Postman, Burp, Terratest, Sentinel, Misconfig test, OPA,etc.,)
- Hands on experience in infrastructure provisioning, configuration of provisioned infrastructure. deployment of application and Plugins such as TFLint, Checkov, Docker Linter, docker-vulnerability-extension, Security Scan, Contrast Security, etc.,
- Extensive knowledge in analyzing the contents and the build process of a container image in order to detect security issues, vulnerabilities or potential risks. Open-source tools such as Dagda, Clair, Trivy, Anchore, etc., can be leveraged for container image analysis.
- Familiar with Open-source tools such as Jenkins, etc., can be leveraged to build the CI/CD pipelines, and DefectDojo and OWASP Glue can help in tying the checks together and visualizing the check results in a single dashboard.
- Hands-On experience in Open-source tools such as truffleHog, git-secrets, GitGuardian and similar can be utilized to detect such vulnerable management of secrets.
- Expert knowledge with integrating crucial security tasks into CI/CD pipelines.
- Strong knowledge of software development methodologies and the software development lifecycle.
- Strong knowledge of container security and secrets management.
- Working experience with configuration management.
- Experience with Azure technologies in general, such as Service Fabric, Application Service Environment, Azure Kubernetes Service, Azure DevOps, Azure Monitor, Azure Sentinel, Azure Defender Suite, Azure SQL, Cosmos, Azure APIM, Azure AD, Azure OMS/Application Insights, Global Traffic Manager, etc.
- Experience with AWS technologies, such as CodePipeline, CodeBuild, CodeDeploy, CodeStar, Guardrails, Amazon ECS, AWS Lambda, etc.