Senior DevSecOps Engineer (Work at Home or Virtual Optional)

Description

The Senior DevOps Engineer Enables the automation of software code deployment by eliminating functional silos existing between development and production. The Senior DevOps Engineer work assignments involve moderately complex to complex issues where the analysis of situations or data requires an in-depth evaluation of variable factors.

Responsibilities

In this role you will be on a team of security engineers performing triage, analysis, hunting bugs, driving DevSecOps adoption, delivering on our “everything is code” approach to product development.  Your focus will be shift left DevSecOps opportunities, CI/CD Pipeline scanning, enablement and engineering automation.
 

We are looking for someone with at least 3 years of application security and or offensive security experience

You are a great fit if the following are true:

• You can handle complicated bugs and complex application security issues.
• You love developers, teaching, learning, and research.
• You have a home lab and constantly learning.
• You are passionate about customer experience.
• You love breaking and building, can code and hack.
• Know the OWASP top 10 and understand defensive coding techniques. 
• Have experience with Git, Gitflow, SAST, DAST, SCA, IAST tooling.
• Architects and Red Teamers don’t scare you.
• You love open source, community and collaboration.
• Have deep experience breaking web applications, APIs, mobile apps and anything that compiles.
• Can distill complicated issues and communicate to senior leaders the why it’s important and how it works.
• You have a strong scripting and automation background (you can write in one or more of the following python, JavaScript/TypeScript or PowerShell) Python preferred.
• Azure Devops or Github automation, or similar experience with CI/CD tooling.
• Proficiency with managing supporting & deploying Checkmarx, AppScan, Veracode, Rapid7, Fortify or similar tools.

Responsibilities:

• Partner with our Security Advocate Community, Compliance and governance, platform teams, DevSecOps and DevOps teams.

• Improve and expand application security quality across our entire portfolio of applications.

• Mentor others, you love to share and support, serve as expert for escalated analysis.

• Contributes to inner source and demonstrates engineering community engagement.

• Review and research issues from our Threat Modeling program, tying potential threats to visible defects from security scans

• Help developers solve application security defects.

• Contribute to and execute on our secure software development strategy for the enterprise.

• Improve and expand application security quality across our entire portfolio of applications.

Required:

• At least 3 years+ of experience with Application Security, including familiarity with the leading toolsets supporting Application Security (dynamic and static). Experience with Checkmarx, AppScan, Burp Suite, Contrast, VeraCode, NowSecure, Blackduck, WhiteSource, Fortify or similar tooling.

• Strong application security experience across a variety of technologies and languages.

• Deep experience in static code analysis and third-party software composition analysis.

• Deep experience with BurpSuite and breaking web applications.

• Excellent communication skills with the ability to influence others

• Analytical and problem solving skills

• Strong scripting skills, can quickly find common issues across large code bases or IP ranges. 

• Contributes to the broader security or open source community.  

• Must be passionate about contributing to an organization focused on continuously improving consumer experiences

• Must be passionate about developer experience, privacy, security, quality and product delivery

• Can demonstrate exploitation and break applications with ease, is creative and thinks evil by default.   

Preferred:

• Prior experience leading an application security program, with 1000+ stakeholders and development teams in the portfolio

• Prior experience managing, supporting and deploying SAST/DAST and Open Source Analysis programs and tools across an organization

• Cloud experience or experience with Docker or similar container platforms.

• Working knowledge of Linux and Windows operating systems

• Reverse engineering, bug hunting, vulnerability assessment, or exploit development experience.

• Strong Experience with one of the following: C#, JavaScript, Java, Python, ruby or similar. 

• You understand design, delivery, and ownership along with modern SDLC practices.

• Knowledge of common information security management frameworks, including but not limited to:

ISO 27001/27002, ITIL, COBIT, NIST, BSIMM.

• Professional security certification, such as OSCP, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials a plus but not required.

• Experience with Service Now Asset Management is a plus

Scheduled Weekly Hours

40