4+ years in DevSecOps or related field focusing on CI/CD security
Bachelor's in Engineering or related discipline, Computer Science preferred
Experienced in securing cloud environments, especially Google Cloud Platform (GCP)
Strong background in hardening CI/CD systems like GitHub Actions
Knowledge of security practices for application development including SAST and DAST
Proficient in programming languages such as Golang, TypeScript, or Python
Familiar with compliance standards like SOC 2 and ISO 42001
Responsibilities
Implement and manage DevSecOps practices throughout the Software Development Lifecycle
Design and harden CI/CD pipelines with security-first principles
Integrate security checks to prioritize high-severity issues in build processes
Secure cloud infrastructure in GCP through least privilege and traffic restriction
Manage encryption and key rotation safely using Cloud KMS
Oversee container hardening and ensure supply chain integrity
Monitor CI/CD pipelines and production for compliance and anomalies
Benefits
Collaborative startup environment with a high-intensity pace
Opportunity to work with cutting-edge security practices and tools
Exposure to a variety of compliance frameworks and cloud technologies
Potential to influence security culture across the organization
Access to a diverse range of projects and responsibilities within a full-stack team
Full Job Description
Your Role at Maxima
Implement and manage DevSecOps practices across the entire Software Development Lifecycle (SDLC), ensuring a "shift-left" approach to security.
Comfortable with Kubernetes and other container orchestration platforms
Design and harden CI/CD pipelines (e.g., GitHub Actions) by implementing minimal permissions and leveraging OIDC with Workload Identity Federation for cloud deployments.
Integrate and enforce security checks, including SAST, dependency scanning, and secret scanning (e.g., using tools like Trufflehog or GitGuardian), to fail builds on high-severity issues.
Secure cloud infrastructure (GCP) by implementing the principle of least privilege for IAM, configuring VPC firewalls to restrict traffic, and using Google Secret Manager.
Manage encryption and key rotation using Cloud KMS, ensuring all secrets are handled securely and not stored in code or plaintext.
Oversee container and artifact hardening, including using multi-stage builds, scanning images for vulnerabilities, and signing artifacts (e.g., Cosign) for supply chain integrity.
Ensure application code follows secure coding best practices, including input validation, output encoding to prevent XSS, and secure authentication/session management via Descope integration.
Monitor CI/CD pipelines and production environments (using GCP and Datadog) for anomalies, security-relevant events, and audit logs to meet compliance requirements.
Maintain documentation and controls necessary to align with compliance frameworks, including SOC 2, SOC 1, and ISO 42001 for AI governance.
Assist in developer infrastructure work, including deployment automation and internal tooling, in a full-stack environment.
Your Qualifications
4+ years of experience in DevSecOps, Security Engineering, or a related role focused on CI/CD pipeline security.
Bachelor's degree in any engineering discipline; Computer Science is preferred but not mandatory.
Proven experience securing cloud environments, preferably Google Cloud Platform (GCP), with familiarity in IAM, Secret Manager, VPC controls, and Cloud KMS.
Strong practical experience with hardening continuous integration/continuous deployment (CI/CD) systems (e.g., GitHub Actions, Blacksmith, or similar).
Proficiency in security practices for application development (SAST, DAST, secret scanning) and a deep understanding of common security anti-patterns (e.g., hard-coded secrets, insufficient input validation).
Proficient in languages like Golang, Typescripts, Python, or similar programming languages used for automation and development.
Familiarity with compliance standards like SOC 2, PCI DSS, or ISO 42001 and experience generating evidence for auditors.
Can handle the high intensity and fast pace of a startup environment.