DevSecOps Consultant

Overview:

The DevSecOps Consultant will be responsible for integrating security into every stage of the Software Development Lifecycle (SDLC). This includes implementing security controls within CI/CD pipelines, enabling development teams with best practices, and automating secure coding compliance across all engineering initiatives.

Experience:

5 - 7 years

Roles:

1.  Coordinate with Platform and Engineering teams to ensure that critical vulnerabilities are mitigated within the appropriate subsystems or enterprise technology products.
2.  Work closely with the Engineering team in SSDLC, threat modelling, etc.
3.  Share monthly metrics report on vulnerability trends & DevSecOps posture.

Responsibilities:

1. CI/CD Security Integration: Analyze the automated process of secure CI/CD pipeline and present generated reports to the management.
2. Secure Development: Annually review secure coding standards like Shift Left, Shift Right, etc. Perform threat modelling. Present the outcome of the Threat Modelling to the Project manager, discuss mitigations, and document the outcome of these discussions.
3. Infrastructure Security: Since our configurations are in the form of Infrastructure as Code (Terraform / Helm Charts), review hardening guidelines with reviewing these scripts.
4. Awareness & Training: Deliver hands-on training sessions, workshops, and awareness programs to Engineering and Platform teams; the topics can include but not limited to secure design principles, API security, cloud security, and DevSecOps practices. Helping build a security-first culture across the Engineering team.
5. Metrics & Governance: Monitoring security posture through key metrics such as vulnerability fix rate, mean time to remediation (MTTR), CI/CD pipeline security coverage, and DevSecOps adoption levels across teams. Helping leadership drive continuous improvement and provide visibility on security maturity with the help of these metrics.
   

Preferred Skillset:

1.  CI/CD tools: BitBucket
2.  Security tools: Snyk, SonarQube
3.  Languages: Python, Bash, YAML, Java Spring Boot
4.  Cloud: GCP, AWS, Azure
5.  Compliance: OWASP Top 10, NIST, ISO 27001