Senior DevSecOps Engineer
Indexed description
EastBay Systems is a cybersecurity and information technology consulting firm supporting Federal civilian agencies in delivering secure, resilient, and compliant enterprise systems. We specialize in Cybersecurity Program Management, Security Engineering, Governance, Risk & Compliance (GRC), Security Operations Center (SOC) operations, Cloud Security, and Continuous Monitoring.
We are seeking an experienced Senior DevSecOps Engineer to serve as the organization's primary technical authority for Secure Software Development, DevSecOps, and Application Security within a complex multi-cloud Federal environment.
This is a senior engineering position supporting enterprise software development teams while working closely with Cloud Security Engineers, Cybersecurity Engineers, SOC analysts, GRC specialists, architects, and Federal stakeholders to ensure security is integrated throughout the Software Development Life Cycle (SDLC).
Position SummaryThe Senior DevSecOps Engineer is responsible for integrating security throughout the software development lifecycle and ensuring that applications are secure by design, continuously monitored, and compliant with Federal cybersecurity requirements.
This role leads the implementation of secure software engineering practices, DevSecOps automation, software supply chain security, application threat modeling, security testing, application telemetry, and application security architecture. The engineer serves as the primary liaison between software development and cybersecurity organizations to ensure applications meet FISMA, NIST RMF, NIST Secure Software Development Framework (SSDF), FedRAMP, OMB directives, and agency security requirements before deployment into production.
Key ResponsibilitiesSecure Software Development- Lead implementation of Secure Software Development Lifecycle (SSDLC) practices.
- Develop and maintain secure coding standards aligned with NIST SSDF and OWASP guidance.
- Perform application security architecture reviews and threat modeling.
- Review software designs, APIs, and application architectures for security risks.
- Provide secure coding guidance to development teams.
- Identify and mitigate software security risks throughout the development lifecycle.
- Design and secure CI/CD pipelines supporting cloud-native and hybrid applications.
- Integrate automated security testing into development pipelines, including:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- Infrastructure as Code (IaC) scanning
- Secret detection
- Container image scanning
- Dependency vulnerability scanning
- Automate security validation throughout build, test, deployment, and release processes.
- Lead application security assessments and remediation activities.
- Secure REST APIs, microservices, serverless applications, and containerized workloads.
- Review authentication, authorization, session management, and encryption implementations.
- Support secure software architecture and design reviews.
- Define application security baselines and technical security requirements.
- Implement secure software supply chain practices.
- Establish Software Bill of Materials (SBOM) processes.
- Evaluate open-source software risks and third-party dependencies.
- Support code signing, artifact integrity, and release validation.
- Implement controls consistent with Executive Order 14028 and Federal software supply chain security requirements.
- Define enterprise application logging and security telemetry requirements.
- Identify security events that applications must generate to support continuous monitoring, threat detection, incident response, and forensic investigations.
- Ensure application audit logging complies with NIST SP 800-53, NIST SP 800-92, NIST SP 800-137, OMB M-21-31, and agency logging requirements.
- Define application logging standards for authentication, authorization, privileged actions, API transactions, configuration changes, administrative activities, software deployments, security exceptions, and application errors.
- Collaborate with SOC engineers to ensure application logs integrate into enterprise SIEM and security monitoring platforms.
- Validate that application telemetry supports security analytics, threat detection, compliance reporting, and operational monitoring.
- Establish and maintain secure Ports, Protocols, and Services (PPS) baselines for enterprise applications, APIs, and microservices.
- Develop application communication matrices documenting approved network communications, service dependencies, API integrations, trust boundaries, encryption requirements, and external interfaces.
- Validate application communications comply with Zero Trust Architecture, least functionality, and least privilege principles.
- Identify unnecessary network exposure and recommend attack surface reduction measures.
- Support application architecture reviews to ensure secure communication patterns and proper network segmentation.
- Support FISMA compliance activities affecting software development.
- Participate in RMF implementation and Security Assessment & Authorization (A&A) activities.
- Develop documentation supporting applicable NIST SP 800-53 controls.
- Support Continuous Monitoring (ISCM) activities related to application security.
- Assist with POA&M remediation for application security findings.
- Support compliance with FedRAMP, NIST guidance, OMB cybersecurity directives, and agency-specific security policies.
- Participate in Agile ceremonies, sprint planning, backlog refinement, architecture reviews, and software design meetings.
- Collaborate with Cloud Security Engineers to ensure secure deployment architectures.
- Partner with Cybersecurity Engineering to implement enterprise security standards.
- Work with SOC analysts to develop application detection use cases and monitoring requirements.
- Collaborate with GRC teams to support audits, compliance assessments, and continuous monitoring activities.
- Provide technical leadership and mentorship on secure software development and DevSecOps best practices.
- Bachelor's degree in Computer Science, Software Engineering, Computer Engineering, or a related technical discipline.
- 8+ years of experience in software security, DevSecOps, application security, or secure software engineering.
- Experience designing and securing CI/CD pipelines.
- Experience implementing SAST, DAST, SCA, IaC security scanning, container security, and software supply chain security.
- Strong understanding of secure software architecture, OWASP Top 10, OWASP API Security Top 10, and modern application security principles.
- Experience with Git, GitHub, GitLab, Azure DevOps, or Jenkins.
- Experience with Kubernetes, Docker, and container security.
- Experience developing applications in Azure and/or AWS cloud environments.
- Experience defining application logging, audit requirements, security telemetry, and application PPS baselines.
- Strong knowledge of NIST RMF, NIST SP 800-53 Rev. 5, NIST SP 800-218 (SSDF), FISMA, and OMB cybersecurity directives.
- Experience with PowerShell, Python, or other scripting languages.
- Excellent communication skills and the ability to work effectively with software developers, security engineers, SOC analysts, GRC specialists, and Federal customers.
- CISSP
- CSSLP
- GIAC Cloud Security certifications
- Certified Kubernetes Security Specialist (CKS)
- Microsoft Certified: Azure Security Engineer Associate (AZ-500)
- AWS Certified Security – Specialty
- HashiCorp Terraform Associate
- Experience with Microsoft Defender for Cloud, GitHub Advanced Security, Microsoft Sentinel, Azure Monitor, OpenTelemetry, Application Insights, AWS CloudWatch, CloudTrail, or comparable enterprise security platforms.
- Experience supporting FedRAMP-authorized cloud environments.
You will serve as the organization's dedicated Software Security and DevSecOps Subject Matter Expert, shaping how secure software is designed, developed, tested, deployed, and monitored across multiple Federal cloud environments. You will work alongside Cloud Security, Security Engineering, SOC, and GRC teams to build secure, resilient, and compliant applications that support critical Federal missions.
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search