Sr. DevSecOps Engineer

As a DevSecOps Engineer, the focus is on strengthening application security and embedding modern DevSecOps practices across the development lifecycle. The role involves identifying and remediating application vulnerabilities, integrating security into every stage of the SDLC, and ensuring that robust security controls are implemented and maintained in CI/CD pipelines.

Day‑to‑day responsibilities include designing and automating security controls, performing secure code and pipeline reviews, monitoring vulnerabilities, and collaborating with development and operations teams to drive “security by design.” By doing so, this role adds direct value to the Technology Department, working closely with all tribes to reduce risk exposure, enable faster and more secure software delivery, and foster a culture where security becomes a natural part of innovation and growth.

• Identify, assess, and remediate application security vulnerabilities across web, API, and cloud environments.
• Integrate and maintain security controls in CI/CD pipelines (e.g., SAST, DAST, SCA, container scanning, IaC security).
• Collaborate with development and operation teams to embed secure coding practices and ensure “shift-left” security.
• Conduct and support secure code reviews, threat modeling, and application risk assessments.
• Develop automation and scripts to enforce security checks in the pipeline.
• Monitor, triage, and remediate findings from application security tools.
• Stay current with industry trends, frameworks, and emerging threats (OWASP, MITRE ATT&CK, NIST).
• Contribute to security guidelines, standards, and training for developers.

• Bachelor’s degree in Computer Science, Software Engineering, Cybersecurity, or equivalent experience.
• Proven experience in DevSecOps, Application Security, or Secure Software Development (3+ years).
• Good programming skills in programming languages such as PHP, JavaScript, Python, or Java.
• Hands‑on experience with CI/CD tools (GitHub Actions, GitLab CI/CD, Jenkins, CircleCI, etc.).
• Practical experience with SAST, DAST, SCA, IAST, and related security tooling.
• Understanding of cloud security practices.
• Familiarity with container security (Docker, Kubernetes).
• Strong knowledge of OWASP Top 10, secure coding principles, and common attack vectors.
• Ability to communicate security requirements effectively to developers and stakeholders.

• Experience performing penetration testing or code‑level security assessments.
• Certifications such as eJPT, OSWE, OSCP, CSSLP, or GIAC GWAPT/GPCS.
• Experience with Infrastructure as Code (Terraform, CloudFormation) security best practices.
• Experience implementing Zero Trust principles in pipelines.
• Knowledge of Clojure.