DevSecOps Engineer

NCS is a leading technology services firm that operates across the Asia Pacific region in over 20 cities, providing consulting, digital services, technology solutions, and more. We believe in harnessing the power of technology to achieve extraordinary things, creating lasting value and impact for our communities, partners, and people. Our diverse workforce of 13,000 has delivered large-scale, mission‑critical, and multi‑platform projects for governments and enterprises in Singapore and the APAC region.

We’re looking for a DevSecOps Engineer to own the security, reliability, and delivery of our Azure platform and Kubernetes workloads. You’ll be the hands‑on technical engineer for secure‑by‑default infrastructure—automating everything‑as‑code, and partnering with product teams to do deployment and enabling fast shipping of codes without trading off security or resilience.

• Build and evolve Azure Landing Zones, Management Group hierarchy, subscription vending, and policy‑as‑code guardrails using Azure Policy or equivalent tools.

• Design & operate private AKS clusters (Azure CNI/Calico etc), implement Pod Security Standards, network policies (Calico/Cilium), workload identity (Entra OIDC/Workload Identity), and secure ingress/egress.

• Standardize pipelines in GitHub Actions / Azure DevOps; enforce SBOM, image scanning, cosign signing/verification, provenance (SLSA‑aligned) and immutable deploys (GitOps with Argo CD/Flux).

• Implement Entra ID RBAC & PIM, Managed Identities, Key Vault / Secrets Store CSI, and secret rotation practices.

• Establish Azure Monitor / Log Analytics baselines, tracing, SLOs, and actionable alerts; integrate with Microsoft Sentinel; lead incident response and postmortems.

• Drive Defender for Cloud coverage, vulnerability management (containers, hosts, code), and automated remediation.

• Hub‑and‑spoke or vWAN, Private Link/Endpoints, Private DNS, Firewall/NAT Gateway egress control; encryption at rest & in transit, KMS integrations.

• Backups (RSV/Velero), multi‑region patterns, chaos exercises, capacity planning; codify DR runbooks and perform tests.

• Implement tagging/budgets, right‑sizing, Reservations/Savings Plans; map controls to CIS/NIST/ISO and produce audit evidence from pipelines.

• Pair with product teams, review designs/PRs, write reference modules/templates, and uplift platform literacy across the org.

• Enable hardening for respective components, including but not limited to OS hardening, Application Hardening, Azure Services hardening.

• 7+ years in DevOps/SRE/Platform Engineering with 3+ years on Azure and 2+ years operating Kubernetes in production.
• Proven delivery of Azure Landing Zones or equivalent enterprise Azure foundations, expressed as Terraform or Bicep modules.
• Strong with GitHub Actions/Azure DevOps, artifacts, environments, approvals, reusable workflows.
• Hands‑on with container runtime security & policy: OPA/Gatekeeper or Kyverno, Pod Security restricted, read‑only root FS, capability drops, seccomp/AppArmor.
• Network security in K8s: NetworkPolicy default‑deny, ingress controllers (Nginx/AGIC), egress control, TLS everywhere, mTLS preferred.
• Image lifecycle: private registries (ACR), pull‑through caches, cosign signing & admission verification, Nessus scanning.
• Observability: Azure Monitor/Logs, DCRs, dashboards, SLOs, alert routing to ITSM; experience integrating with Sentinel or enterprise SIEM.
• Infra & config as code at scale; linting/testing/policy gates; change automation and drift detection (GitOps).
• Solid Linux fundamentals, networking, PKI, and incident response.

We are driven by our AEIOU beliefs—Adventure, Excellence, Integrity, Ownership, and Unity—and we seek individuals who embody these values in both their professional and personal lives. We are committed to our Impact: Valuing our clients, Growing our people, and Creating our future.

Together, we make the extraordinary happen.

Learn more about us at ncs.co and visit our LinkedIn career site.