DevSecOps Engineer
Towne · United States · 1 wk ago
RemoteRemoteEngineeringFull-time
Essential Functions
- CI/CD & Release Engineering (Azure DevOps)
- Design, build, and maintain CI/CD pipelines in Azure DevOps (YAML pipelines) for application and infrastructure deployments
- Implement multi-stage release workflows with environment promotion (dev → staging → production), approval gates, and automated rollback
- Own deployment reliability: zero-downtime deployment patterns (blue/green, canary), release cadence, and deployment metrics (lead time, change failure rate, MTTR)
- Manage build agents, artifact feeds, and container registries (ACR)
- Infrastructure as Code (20%)
- Partner closely with engineering teams to integrate security into development workflows without reducing delivery velocity
- Develop secure coding guidance, reusable security patterns, and self-service security capabilities
- Support security champion programs and security awareness initiatives for technical teams
- Author and maintain all cloud infrastructure as code using Terraform and/or Bicep — no click-ops in production
- Build reusable IaC modules for common patterns (networking, app services, databases, key vaults)
- Implement state management, drift detection, and plan/apply review workflows integrated into pipelines
- Drive cost visibility and right-sizing through tagging standards and IaC-enforced resource policies
- Policy as Code & Governance (30%)
- Define and enforce guardrails using Azure Policy (built-in and custom definitions) across subscriptions and management groups
- Implement policy-as-code workflows so governance changes go through version control and CI, not the portal
- Enforce standards automatically: allowed regions and SKUs, mandatory encryption, network restrictions, required tags, diagnostic settings
- Integrate compliance scanning into pipelines (e.g., Checkov, tfsec, PSRule) so non-compliant infrastructure fails before deployment
- Maintain audit-ready documentation and technical control mappings across applicable regulatory frameworks
- Maintain audit-ready evidence of control enforcement to support SOC 2 / PCI DSS compliance efforts
- Security Operations & Remediation (25%)
- Facilitate threat modeling exercises for applications, cloud services, APIs, and infrastructure platforms
- Identify security design risks early in the software development lifecycle and recommend mitigation strategies
- Design and implement secure network architectures including segmentation, private networking, web application firewalls (WAF), and cloud-native security controls
- Monitor and remediate network exposure risks and cloud security misconfigurations
- Support secure connectivity models including VPN, private endpoints, service meshes, and zero-trust networking architectures
- Own vulnerability management end to end: scanning (SAST, dependency/SCA, container image, DAST), triage, severity-based remediation SLAs, and tracking to closure
- Remediate infrastructure-level findings directly (misconfigurations, patching, network exposure, identity over-permissioning); route application-code findings to engineering teams with clear severity, context, and deadlines
- Implement and tune Microsoft Defender for Cloud and security monitoring/alerting; lead initial response and containment for security incidents
- Manage identity and access: Entra ID, RBAC least-privilege reviews, service principals/managed identities, PIM for elevated access
- Harden the network layer: NSGs, private endpoints, WAF, segmentation between environments
- Feature Delivery Enablement (10%)
- Implement feature flag infrastructure (e.g., Azure App Configuration / LaunchDarkly) to decouple deployment from release
- Support progressive rollouts, A/B exposure controls, and kill switches for safe feature launches
- Partner with application engineers to make shipping fast and safe — your job is to remove friction, not add gates
- Support feature flag platforms and progressive delivery capabilities to enable secure, controlled feature releases
- Implement kill-switch and rollback mechanisms to reduce deployment risk.
- Education: B.S. or Major in Computer Science
- Required: 5+ years in DevOps/SRE/Platform roles, with at least 2 years of hands-on security ownership (DevSecOps, AppSec, or CloudSec)
- Preferred: AZ-400, AZ-500, or equivalent
- Work Experience: 5+ years in DevOps/SRE/Platform roles, with at least 2 years of hands-on security ownership (DevSecOps, AppSec, or CloudSec)
- Knowledge & Skills: Deep, demonstrable Azure experience: App Services / AKS / Functions, networking, Entra ID, Key Vault, Defender for Cloud
- Expert with Azure DevOps: YAML pipelines, release management, branch policies, artifact management
- Production experience with Terraform or Bicep (both a plus), including module design and state management
- Proficiency in at least one scripting language (PowerShell, Python, or Bash)
- Track record of remediating security findings yourself — not just filing tickets
- Strong communication: able to explain risk in business terms and influence engineers without formal authority