Lead DevSecOps Engineer
Indexed description
Key Responsibilities & Accountabilities
- Drive the implementation and continuous improvement of the Secure Software Development Life Cycle (SSDLC), ensuring security requirements are integrated throughout the application lifecycle.
- Perform secure code reviews, application security assessments, API security reviews, threat modeling, and application architecture reviews to identify and mitigate security risks.
- Validate application security findings from SAST, DAST, penetration testing, and other security assessments, distinguishing true vulnerabilities from false positives and supporting risk-based remediation.
- Implement and optimize DevSecOps security controls within CI/CD pipelines, including:
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- Secret Scanning
- Infrastructure as Code (IaC) Scanning
- Container Security Scanning
- SBOM generation and validation
- Enhance automation of application security testing and integrate security controls into the software delivery pipeline.
- Assess software dependencies, open-source components, and third-party libraries to identify vulnerable or unsupported components and strengthen software supply chain security.
- Manage and coordinate penetration testing engagements with vendors and application owners, review assessment reports, validate findings, and track remediation activities through to closure.
- Support application owners and development vendors in implementing security best practices and remediating identified vulnerabilities.
- Assess and monitor the secure development practices of software vendors to ensure compliance with organizational security standards and contractual security requirements.
Job Specifications
Education / Certifications:
- Bachelor's Degree in Computer/Communication Engineering, Computer Science, or a related discipline.
- Information Security-related certificates are a plus.
- Diploma in Cyber Security is a plus.
Job Qualifications:
- Minimum 3-6 years of experience in Application Security, DevSecOps, or Secure SDLC.
- Proven experience in application security, including secure code reviews, vulnerability validation, penetration testing management, and application security remediation.
- Strong practical knowledge of Secure Software Development Life Cycle (SSDLC), Secure by Design principles, OWASP Top 10, Secure Coding Standards, Threat Modeling, API Security, and Web Application Security.
- Hands-on experience with application security technologies, including SAST, DAST, SCA, Secret Scanning, SBOM generation, and software dependency management.
- Experience working with DevOps and CI/CD platforms such as GitHub, GitLab, Azure DevOps, or Jenkins.
- Working knowledge of container technologies, including Docker, Kubernetes, Containers, and Infrastructure as Code (IaC).
- Strong understanding of Secure Design Principles, Authentication & Authorization, OAuth, OpenID Connect, JWT, Secrets Management, PKI, and cryptography basics.
- (Preferred) Experience with Checkmarx, Fortify, Veracode, SonarQube, Snyk, Mend (WhiteSource), GitHub Advanced Security, Trivy, Semgrep, or similar tools.
- (Preferred) Experience with AI-assisted secure code review and application security tooling.
Soft Skills & Behavioral Competencies:
- Strong hands-on software development background with solid programming skills.
- Ability to work collaboratively with cross-functional teams.
- Analytical mindset with a focus on security best practices.
- Proactive problem-solving skills and attention to detail.
- Continuous learning attitude to stay updated with evolving security tools and practices.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search