We are seeking a passionate, dynamic, creative professional to help build out a DevSecOps practice. This person will help bring security closer to our cloud (e.g., AWS, Azure, GCP) services, DevOps, and development practices, including build/release management, secure SDLC DevSecOps. They will have opportunities to build automated security processes within our CI/CD pipelines and implement security best practices in many IT areas. This role will help design, implement, and support secure cloud solutions and processes leveraged by homepoint applications hosted in our different environments. We are looking for some with a broad set of skills in the Secure Development space, who can work well with many personalities and teams, will promote security and learning across many teams.
This individual will be responsible for:
- The management of vulnerability and threat landscape for engineering and build teams.
- Engineer, implement solutions, and provide recommendations for continuous improvement of homepoint apps.
- Present regular status updates and provides cross-training to other development team members.
- Be active in evaluating and recommending new security tools and services technologies.
- Help build components to our Agile strategy and implementation to better integrate security into the organization.
- Work with product owners and engineering teams to create, implement and apply DevSecOps principles, processes, and culture across the IT organization.
- Manage certain aspects of vulnerability, threat, and exposure as it handled and mitigated within the application development teams.
- Conduct risk assessments and manage risk as it relates to different stages of the software development lifecycle.
- Advocate for appropriate testing and reliability practices, e.g., unit testing, code reviews, full/partial build testing, QA engineering practices, vulnerability, pen test checks, and other requirements, promoting techniques to the teams to improve overall secure delivery practices.
- Ensure appropriate security training and tools are implemented within the application security programs.
- Manage Cybersecurity best practices within the DevSecOps field to make sure engineering teams are up to date with standard defensive techniques related to app development and architecture.
- Partner with development and operations teams to facilitate practical automation for testing and managing cybersecurity controls.
- Help build and manage DevSecOps processes within our CI/CD pipeline so that practical security checks and balances are in place as part of app dev workflows.
- Help different technology teams adopt security tools/technologies/techniques; work with leadership to prioritize solutions related to cost, effort and value.
- Work with many different engineering and scrum teams to deliver on security objectives for specific sprints and workflows.
- Advocate for the best practices in Data Privacy within app dev areas and be the customer's voice in reducing data exposure.
- Manage and measure performance as it relates to security effectiveness and maturity.
- Work with IT teams to bring continuous monitoring and improvement to DevSecOps processes.
- Bachelors of Science or other technical-related education equivalence.
- Minimum of 5 years of application security experience with both interpreted and compiled programming languages.
- Must have actual/active development experience in an Agile environment.
- Application security experience with Windows and Linux-based applications.
- Strong knowledge of public cloud architecture, development, and infrastructure.
- Knowledge of event-driven architecture patterns, e.g., Apache Kafka and Microservice Architecture
- Experience with containerization and orchestration of web services.
- White box and black box penetration testing as well as IAST and RASP principles.
- Strong working knowledge of Agile, SAFe, and DevSecOps.
- Experience working with application teams on multi-tiered web apps (C#, C++, Java, Python, PHP, PowerShell, Bash, etc.)
- Knowledge of GIT, ADO, Terraform, Docker, Kubernetes, Ansible, Chef, other Agile CI/CD, project management tools, and Kanban boards such as Jira Align.
- Security administration, development, and management are strongly desired, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or other similar credentials.
- Demonstrated competencies in system administration, DevSecOps or systems knowledge, security protocols for client/server environment.
- Sound knowledge of business management and expert knowledge of information/cybersecurity application solution design and testing.
- Strong knowledge of key cybersecurity technologies such as network security tools (firewalls, intrusion detection system (IDS)/ intrusion protection system (IPS), content filtering, network access control (NAC), end-point protection (AV, EDR, MDM), data loss prevention, encryption, vulnerability management, and security information and event management (SIEM).
- Knowledge and understanding of information security legal and regulatory requirements, such as GLBA, CCPA, SOC 1 and 2, Sarbanes-Oxley Act (SOX) Payment Card Industry/Data Security Standard
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, COBIT, and NIST, including 800-53 and the Cybersecurity Framework.