DevSecOps Engineer

Key Responsibilities

• Drive a security-by-design approach across cloud infrastructure, CI/CD pipelines, and application architecture
• Partner with DevOps and platform engineering teams to embed security controls into existing and new systems
• Architect and implement cloud security posture management across AWS environments (GuardDuty, Security Hub, IAM, KMS, Secrets Manager, WAF)
• Define and enforce security standards for infrastructure as code (Terraform), container workloads (Docker, Kubernetes/EKS), and microservices
• Integrate automated security tooling into CI/CD pipelines including SAST, DAST, SCA, and secret scanning
• Establish and maintain container and Kubernetes security practices including image scanning, runtime threat detection, and admission control
• Build and maintain observability and alerting for security events using SIEM tooling integrated with existing monitoring infrastructure
• Define identity and access management standards including least-privilege IAM policies, secrets rotation, and zero-trust access patterns
• Lead security architecture reviews for new systems, features, and third-party integrations
• Support incident response efforts as needed and drive post-incident improvements
• Develop internal security documentation, standards, and runbooks to enable the broader engineering team
• Evaluate and drive compliance initiatives (SOC 2, CIS Benchmarks) as the business scales

Required Qualifications

• 7+ years of experience in DevOps, cloud infrastructure, or security engineering roles with meaningful overlap across both disciplines
• Deep hands-on experience with AWS security services including GuardDuty, Security Hub, IAM, KMS, Secrets Manager, CloudTrail, and Config
• Proficiency in infrastructure as code security using tools such as Checkov, tfsec, or Snyk IaC alongside Terraform
• Experience securing containerized environments with Kubernetes/EKS including Falco, Trivy, and admission controllers (Kyverno, OPA Gatekeeper)
• Hands-on experience with DevSecOps tooling: SAST (Semgrep, SonarQube), DAST (OWASP ZAP), SCA (Snyk, Dependabot), and secret scanning (GitGuardian, Trufflehog)
• Strong knowledge of networking, identity, and access management fundamentals in cloud-native environments
• Experience with SIEM platforms and security observability integration (Datadog, Elastic, Splunk, or equivalent)
• Ability to communicate security risk and architectural decisions clearly to both technical and non-technical stakeholders