Security Development Engineering

SecDevOps exists to bridge the gap between Security and Engineering. The position serves as the technical points of contact for security related activity that needs engineering or development focus. This position will be a hybrid position, and will require on-site attendance as required (i.e., training, assessment participation, team meetings, etc.).

This role serves as a “hands-on” senior-level security development engineer who will the responsible for interfacing with  security engineering, operations, security and build teams.  This individual will assist the GRC Control Assurance and SOC Vulnerability Management teams with the initial triage of vulnerabilities, using knowledge and experience to product an actional items for operations, or as necessary, and be point for escalations to Product or Cloud teams.  This individual will review other team member responses and use in consideration of the final list.  Additionally, this individual will be supporting the various assessments/audits by participating in interviews, managing operation and engineering escalations in support of assessment / audit activities.   This can include, but not limited to, providing assistance and guidance on how the security controls are being addressed through automation, configuration or build as well as gathering evidence for the assessors.   As required, this individual will also shepard vulnerabilities and/or findings through the remediation process. This individual is expected to be able to begin work almost immediately based on experience, once provided the environments, procedures and processes.  Oversight and guidance will be provided as needed. 

• Bachelor’s Degree in Computer Science / MIS / Information Technology, or equivalent experience in Information Security, Information Technology, or related technical discipline
• Experience with best practice identification and response to operating system and web application vulnerabilities, such as patching or otherwise mitigating known security issues.
• Ability to communicate complex security vulnerabilities to various audiences ranging in technical knowledge.
• Experience with various scanning tools including but not limited to Nessus, WebInspect and/or container scanners such as Clair, Trivy, Grype
• Exposure to information security standards such as DISA STIGs or CIS. Previous work with immutable image deployments/architecture.
• Experience leading efforts across multiple groups and security boundaries toward common goals.
• Ability to debug and optimize code and automate routine tasks.
• Systematic problem-solving approach coupled with strong communication skills and a sense of ownership and drive.
• Experience in tracking and creating various metrics, KPIs or OKRs.
• Experience with SDLC and Release processes
• Knowledge with patching and vulnerability remediation processes
• Ability to adapt to a high paced environment and workload

Experience with one or more of the following:

• C, C ++, Java, Python, Go, Perl, Ruby, or shell scripting.
• Experience working in a Cloud Environment – AWS, Azure, GCP
• Experience with JIRA Ticketing System Information Technology
• Experience with Service Now Ticketing System
• Experience working with containers or Kubernetes
• Experience with Unix / Linux/Windows operating system internals and administration (e.g., filesystems, inodes, system calls, hardening) and networking (e.g., TCP / IP, routing, DNS, network topologies, SDN).
• Understanding and practice with security frameworks such as NIST 800-53, NIST 800- 171, SOC 1 or SOC 2, or PCI
• Knowledge of Best Practice and security guides (ex. NIST 800-53 rev 4, NIST 800-53, FedRAMP)
• CompTIA Security+.or equivalent certification

Qualified applicants will receive consideration for employment without regard to race, color, religion, gender, national origin, sexual orientation, gender identity, disability or protected veteran status.