Job Summary
We are seeking an experienced and proactive Application Security (AppSec) and DevSecOps Engineer to embed security throughout the software development lifecycle and CI/CD pipelines. You will collaborate with development, operations, and security teams to design, implement, and maintain security best practices in our applications and infrastructure. This role ensures our systems are secure by design and compliant with industry standards, including HIPAA, SOC2, OWASP, NIST 800-53, and NIST SSDF.
Key Responsibilities
Secure SDLC Integration:
• Integrate security at every phase of the software development lifecycle.
• Collaborate with engineering and product teams in Agile/Scrum environments to prioritize, track, and remediate security issues during sprint cycles.
• Develop and maintain threat models and perform design reviews. Lead threat modeling sessions and conduct in-depth security architecture reviews.
• Educate development teams on secure coding practices.
• Contribute to secure backlog grooming and definition of security-related user stories and acceptance criteria.
• Actively support the organization’s secure software development lifecycle (SDLC) initiatives by integrating security controls, processes, and testing into development workflows and CI/CD pipelines.
CI/CD Pipeline Security:
• Integrate security testing tools (SAST, DAST, SCA, IaC scanning) into CI/CD pipelines.
• Automate security checks to ensure continuous compliance and early detection.
• Ensure integration of security scanning outputs into ticketing systems and development workflows for traceable remediation.
Application Security:
• Perform and manage vulnerability assessments, code reviews, and penetration testing.
• Lead application-level penetration testing efforts, both internally and with external vendors.
• Remediate findings by working closely with developers and product teams.
• Facilitate and track remediation activities as part of security sprints.
• Monitor and manage third-party/open-source dependencies for known vulnerabilities.
• Conduct security code reviews using both automated and manual analysis techniques.
Infrastructure & DevSecOps:
• Secure containerized environments (Docker, Kubernetes).
• Ensure cloud infrastructure security (AWS/Google Cloud Platform/Azure) using infrastructure-as-code (IaC) tools like Terraform or CloudFormation.
• Implement secrets management, identity and access control, and other cloud-native security features.
Governance & Compliance:
• Contribute to security policies, standards, and compliance efforts (e.g., ISO 27001, SOC 2, NIST 800-53, GDPR).
• Ensure application security controls comply with HIPAA Security Rule safeguards (e.g., access control, audit logging, encryption).
• Support documentation and evidence collection for SOC 2 Type II audits and HIPAA security risk assessments.
• Map security activities and controls to NIST 800-53 and NIST SSDF frameworks.
• Support audit activities and create documentation for security controls.
Required Skills:
• Integrate security at every phase of the software development lifecycle.
• Collaborate with engineering and product teams in Agile/Scrum environments to prioritize, track, and remediate security issues during sprint cycles.
• Develop and maintain threat models and perform design reviews.
• Lead threat modeling sessions and conduct in-depth security architecture reviews.
• Educate development teams on secure coding practices.
• Contribute to secure backlog grooming and definition of security-related user stories and acceptance criteria.
• Actively support the organization’s secure software development lifecycle (SDLC) initiatives by integrating security controls, processes, and testing into development workflows and CI/CD pipelines.
• Integrate security testing tools (SAST, DAST, SCA, IaC scanning) into CI/CD pipelines.
• Automate security checks to ensure continuous compliance and early detection.
• Ensure integration of security scanning outputs into ticketing systems and development workflows for traceable remediation.
• Perform and manage vulnerability assessments, code reviews, and penetration testing.
• Lead application-level penetration testing efforts, both internally and with external vendors.
• Remediate findings by working closely with developers and product teams.
• Facilitate and track remediation activities as part of security sprints.
• Monitor and manage third-party/open-source dependencies for known vulnerabilities.
• Conduct security code reviews using both automated and manual analysis techniques.
• Secure containerized environments (Docker, Kubernetes).
• Ensure cloud infrastructure security (AWS/Google Cloud Platform/Azure) using infrastructure-as-code (IaC) tools like Terraform or CloudFormation.
• Implement secrets management, identity and access control, and other cloud-native security features.
• Contribute to security policies, standards, and compliance efforts (e.g., ISO 27001, SOC 2, NIST 800-53, GDPR).
• Ensure application security controls comply with HIPAA Security Rule safeguards (e.g., access control, audit logging, encryption).
• Support documentation and evidence collection for SOC 2 Type II audits and HIPAA security risk assessments.
• Map security activities and controls to NIST 800-53 and NIST SSDF frameworks.
• Support audit activities and create documentation for security controls.
Qualifications:
Education: Bachelor’s degree in Computer Science, Cybersecurity, or related field (or equivalent experience).
5+ years of experience in AppSec, DevSecOps, or related roles
Preferred Attributes:
7+ years experience in related field
Certifications: OSCP, CISSP, CSSLP, CEH, or similar.
Experience with cloud-native security in Azure, AWS, and Google Cloud Platform.
Hands-on experience with NIST, HIPAA, and SOC 2 application security compliance, including security assessments and control implementation.
Experience leading penetration testing engagements and managing remediation in collaboration with development teams.
Experience with bug bounty programs or working with security researchers.
Experience implementing or supporting a security champions program is a plus.
Never miss an opportunity! Create an alert based on the job you applied for.