Senior DevSecOps Engineer

Job Title: Senior DevSecOps Engineer

Location: Boston, MA

Employment Type: Full-Time

Experience: 10+ Years (Overall IT), 3-7+ Years in Security/DevSecOps

Job Summary

We are seeking a Senior DevSecOps / Application Security Engineer to embed security across the software development lifecycle (SDLC) and cloud-native environments. This role will focus on integrating security into CI/CD pipelines, cloud infrastructure, containers/Kubernetes, and automation frameworks, ensuring scalable, compliant, and secure delivery of applications.

The ideal candidate has strong hands-on experience in application security, cloud security, DevSecOps practices, and security automation, and thrives in a highly collaborative engineering environment.

Key Responsibilities

Secure SDLC & Application Security

• Embed security controls across all phases of the SDLC.

• Perform threat modeling, secure code reviews, and risk assessments.

• Implement and manage SAST, DAST, and SCA tools, and guide development teams on remediation.

• Enforce secure coding standards and promote a security-first engineering culture.

CI/CD Pipeline Security

• Design, build, and maintain secure CI/CD pipelines using tools such as GitHub Actions, GitLab CI, Jenkins, and Azure DevOps.

• Automate security scanning, policy enforcement, and compliance checks within pipelines.

• Integrate secrets management and environment hardening into CI/CD workflows.

Cloud & Infrastructure Security

• Review and secure Infrastructure as Code (IaC) using Terraform, CloudFormation, ARM, or Pulumi.

• Enforce cloud security best practices across AWS, Azure, and/or Google Cloud Platform.

• Deploy and manage cloud-native security services such as AWS GuardDuty, Azure Defender, and Google Cloud Platform Security Command Center (SCC).

Container & Kubernetes Security

• Build and manage secure container images and implement vulnerability scanning using tools like Trivy, Aqua, Clair, or Prisma Cloud.

• Enforce Kubernetes security controls, including RBAC, network policies, and pod security standards.

• Monitor Kubernetes clusters and remediate security vulnerabilities.

Security Automation & Tooling

• Develop automation scripts and workflows using Python, Bash, Go, or PowerShell.

• Integrate SIEM/SOAR platforms with CI/CD and cloud environments.

• Automate vulnerability management and remediation processes.

Compliance & Governance

• Support compliance initiatives aligned with NIST, ISO 27001, SOC 2, PCI-DSS, and internal security policies.

• Implement policy-as-code using tools such as OPA, Conftest, and cloud policy engines.

• Produce audit-ready documentation, metrics, and security reports.

Monitoring & Incident Response

• Integrate security telemetry into CI/CD pipelines and cloud platforms.

• Respond to and triage security incidents related to applications, pipelines, and cloud workloads.

• Conduct root-cause analysis and implement preventive security controls.

Required Skills & Qualifications

• 10+ years of overall IT experience, with 3-7+ years in Cybersecurity, DevSecOps, or Cloud Security roles

• Strong scripting and programming skills (Python, Go, Bash, or PowerShell)

• Hands-on experience securing CI/CD pipelines

• Deep understanding of OWASP Top 10, CWE, CVEs

• Strong experience with container and Kubernetes security

• Knowledge of microservices, APIs, and distributed systems

• Solid understanding of cloud networking, IAM, secrets management, and encryption

• Experience with AWS, Azure, or Google Cloud Platform security services

Nice-to-Have Skills

• Experience with SIEM/SOAR platforms

• Exposure to multi-cloud security environments

• Prior experience supporting regulated or compliance-heavy environments

Soft Skills

• Strong collaboration and communication skills

• Ability to influence engineering teams on security best practices

• Proactive mindset with strong problem-solving abilities