Sr. DevSecOps Engineer

Role: Sr. DevSecOps Engineer

Location : Harrisburg, PA - Hybrid

Work Location: Hybrid with two days onsite (1920 Technology Parkway, Mechanicsburg, PA 17050).

Duration: Long term Contract

Management may do either an in-person interview in Harrisburg, PA or a virtual Teams interview

Role summary

• Hands-on security automation for AWS delivery. Build secure-by-default CDK constructs and CloudFormation templates, wire them into CI/CD, and enforce compliance checks that map to CJIS and NIST. Azure support is a future consideration, not a core day-one duty.

Scope boundaries

• Does not own enterprise AWS Organizations or SCP operations.
• Designs and builds reference guardrails and enforcement patterns that can be deployed by enterprise teams.
• Focuses on preventive controls and compliance automation, not incident response.

What you will deliver

• Pipeline security templates in GitHub Actions and Azure DevOps with SAST, SCA, IaC, container, and secret scanning gates.
• Compliance as code in reference accounts: AWS Config rules and Security Hub standards aligned to CJIS and NIST 800-53, with exceptions workflow documented.
• IaC reference modules using AWS CDK and CloudFormation for IAM least privilege, KMS, Secrets Manager, logging, and network baselines; Terraform equivalents provided where teams require them.
• Evidence exports tying checks to control IDs and producing auditor-ready artifacts.
• Harden CDK/CFT modules and pipeline templates as compliance needs evolve.
• Coach pilot teams to adopt templates.
• Raise gaps to enterprise teams for org-level enforcement.

Day-to-day responsibilities

• Author and maintain AWS CDK constructs and CloudFormation templates; provide Terraform versions as secondary.
• Implement AWS Config conformance, Security Hub standards, and GuardDuty routing in reference accounts.
• Wire scanning in CI/CD for app code, containers, and IaC.
• Create reusable GitHub/Azure DevOps templates with enforcement gates and exception handling.
• Generate posture and evidence reports mapped to CJIS and NIST controls.

Required skills

• 5+ years AWS security automation and DevOps.
• Strong with AWS CDK and CloudFormation; working proficiency in Terraform.
• CI/CD authoring in GitHub Actions and Azure DevOps.
• Proficient in Python and Bash, with PowerShell for Windows automation.
• Able to read Java and C# to integrate and tune SAST/SCA.
• Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidence.

Nice to have

• EKS/ECS/Lambda hardening patterns.
• OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent.
• Basic Azure security automation for future phases.
• Decision rights
• Independent on design and build within standards; proposes guardrails and reference patterns; escalates enterprise-wide changes.

Skill / Experience

Required / Preferred

Years

Years of experience

AWS security automation and DevOps experience

Required

5+ Years

Strong experience with AWS CDK, CloudFormation; working proficiency in Terraform

Required

CI/CD authoring using GitHub Actions and Azure DevOps

Required

Proficiency in Python and Bash, with PowerShell for Windows automation

Required

Ability to read Java and C# for SAST/SCA integration and tuning

Required

Knowledge of CJIS and NIST 800-53 control families with automation of checks/evidence

Required

Experience with EKS/ECS/Lambda hardening patterns

Nice to have

Experience with OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent tools

Nice to have

Basic Azure security automation knowledge

Nice to have