The DevSecOps engineer is an advanced role to help support, secure, manage and deploy solutions that support business objectives. The role is highly technical, and candidates must possess a solid understanding of information security, infrastructure, software and various operating systems. The role also requires an understanding of business goals/strategy and operational requirements in a fast-paced environment. The DevSecOps engineer supports continuous integration and continuous deployment (CI/CD) initiatives and is an integrated team member working with software developers, system engineers, cybersecurity engineers and systems administrators. At times, the DevSecOps engineer acts as a liaison with business stakeholders to understand the strategy and execution outlook. The role is heavily security-focused and ingrained in the CI/CD pipeline automation to deliver security principles and validation at all times. The DevSecOps Engineer is responsible to develop and implement DevSecOps as a service offering to the enterprise and customers.

Roles and Responsibilities:

• Lead the development and implementation of DevSecOps practices within the company and extend them as customer service, integrating security, development, and operations for secure and efficient software delivery.
• Build relationships with developers, stakeholders, and scrum masters to incorporate security principles into engineering design and deployments.
• Supervise testing and validation in application security controls across projects.
• Oversee implementation of defensive practices and countermeasures across infrastructure and applications.
• Draft and uphold CI/CD security strategy and practices in tandem with other technical team leads.
• Serve as a point of contact for security-based escalations and remain tightly involved through resolution.
• Build services and tools to enable developers and engineers to easily use security components produced by application security team members.
• Simplify automation that applies security inter-workings with CI/CD pipelines.
• Enrich DevOps architecture with security standards and best practices.
• Support the ability to “shift left” and incorporate security early on and throughout the development lifecycle with risk assessments, architecture reviews, and threat modeling.
• Identify vulnerabilities in code through automated and manual assessments (SAST, DAST, IAST, RASP, and SCA tools), and promote quick remediation.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging.
• Leverage vulnerability database sources to understand the weakness, probability, and remediation options supplied by vendors as well as workarounds.
• Join forces and provision security principles in architecture, infrastructure, and code.
• Regularly research and learn new tactics, techniques, and procedures (TTPs) in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary through the CI/CD pipeline.
• Partner with teams to define key performance indicators (KPIs) and metrics across business units.
• Share lessons and takeaways from engagements to improve practice competencies.
• Openly support the organization, management, and executive leadership team always.
• Perform other duties as assigned

Required Knowledge, Skills, and Abilities:

• Experience with SCA, SAST, DAST, IAST, and RASP.
• Experience with public cloud providers (AWS, Azure, GCP).
• Proficient in securing Windows and *nix operating systems, endpoint applications, networking protocols, and devices.
• Experience with container security, such as Docker and Kubernetes.
• Knowledge of CI/CD platforms, such as Jenkins and CircleCI.
• Experience building prototypes of tools and exploits, as well as conducting vulnerability and penetration tests.
• Proficiency in software development (Java, Rust, Golang, Python, C++, Ruby, etc.).
• Experience with security requirements for APIs.
• Knowledge of General Data Protection Regulation (GDPR), Payment Card Industry (PCI), National Institute of Standards (NIST) or International Standards Organization (ISO) requirements.
• Preferable to have one or more of the following certifications: GWAPT, GWEB, GCSA, CISSP, CSSLP
• Exceptional project management skills and capable of managing complex and lengthy engagements.
• Aptitude for technical writing, combined with outstanding business acumen and communication skills.
• Effective presentation skills, capable of delivering findings, risk, and recommendations to stakeholders.
• High degree of integrity, trustworthiness, and confidence; represents the company and its management team with the highest level of professionalism.
• Written and verbal proficiency in English and Nepali languages.

Education + Experience:

• Bachelor's degree in Computer Science, Information Technology, or a related field.
• Five to Seven years experience in information technology, information security administration, or security operations.
• Three or more years of experience in cybersecurity with a product and application security engineering background.

Benefits:

• 5 working days a week (09:00 am-06:00 pm)
• Multinational company located in the UK, Australia, Nepal, Bangladesh, Pakistan, Finland, USA and India
• Best-in-class work environment with friendly team members (refreshment, recreational, team building activities)
• Exposure to team management and leadership
• Opportunity to travel to other countries as part of training and development
• Work in multidisciplinary areas in a start-up ecosystem