DevSecOps Engineer

Bake security into CI/CD so vulnerabilities are caught pre-production without slowing delivery. Ensure all applications and code are reviewed and tested via automated controls (SAST/SCA/IaC/DAST) with risk-based manual reviews for high-impact changes.

About the Role

Own the security layer of the SDLC across source, build, artifacts, containers, Kubernetes, cloud, and Zoho applications. Provide secure-by-default patterns, automate detection/prevention, and block releases that do not meet defined standards.

Responsibilities

• Compliance by design
• Define secure coding/config standards mapped to OWASP ASVS/Top-10, CIS, ISO 27001, NIST CSF (and UAE PDPL where applicable).
• Enforce automated reviews for all apps/code: SAST, SCA, IaC, container image scanning, DAST in ephemeral environment, document evidence for audits.
• Operate a risk-based manual review path for sensitive changes (e.g., auth, crypto, PII flows).
• Application platform security (mandatory experience)
• Assess code base, custom widgets/extensions, OAuth scopes, and webhooks/integrations for authorization, input validation, secrets, and data protection.
• Enforce SSO/MFA, IP restrictions, field-level security, raw level security, and audit logs, align roles with least privilege.
• Add CI checks for exported code base (lint Deluge anti-patterns, detect secrets, verify integration scopes).
• Web application security
• Partner with teams across front-end (React/Deluge) and back-end (Node/.NET/Python/Java) to triage/fix findings, codify guardrails for authentication/authorization, session management, CSRF, XSS, SSRF, SQLi, RCE, uploads, CORS/CSP, PHP.
• Maintain hardened Docker files, base images, and Kubernetes manifests (RBAC, Network Policies, resource limits), enforce Kyverno/Gatekeeper policies.
• Supply-chain & provenance
• Generate/store SBOMs (CycloneDX/SPDX), implement artifact signing and provenance (in-toto/SLSA).
• Secure runners/agents, registries, and pipeline credentials, prevent tampering.
• Secrets & configuration
• Standardize secrets management (Vault / cloud KMS), enable commit-time secret scanning (Gitleaks/TruffleHog), rotate credentials.
• Automation & enablement
• Integrate scanners into GitHub Actions/Jenkins/GitLab/Azure DevOps, enable auto-fix PRs (Dependabot/Renovate/Snyk).
• Publish playbooks/checklists, deliver short enablement sessions, reduce false positives and improve DX.
• Observability & audit readiness
• Stream pipeline/runtime telemetry to SIEM/XDR, build dashboards for coverage, MTTR, and gate posture.
• Provide auditable evidence of control operation and exceptions.
• Client and Server-side authentication
• Should have experience in REST API, OAuth 2.0, JWT, RLS, Session Management and SSO.
• API Security and Management
• Should have experience in determining scope of API and define rate-limits.

Qualifications

• 8+ years in DevSecOps/Platform/Automation engineering with production CI/CD.
• Proven integrations of SAST, DAST, and SCA (e.g., Snyk, Checkmarx, SonarQube, OWASP ZAP, Burp Suite, Dependabot/Renovate).
• Strong scripting: Python, Bash, PowerShell.
• Hands-on with containers/Kubernetes (Docker, EKS/AKS/GKE), and IaC (Terraform, Helm/Kustomize).
• Should have experience in reviewing libraries, third-party libraries and open-source scripts.
• CI/CD expertise: GitHub Actions/GitLab/Jenkins/Azure DevOps (runners, credentials, caching, matrix builds).
• Solid grasp of software supply-chain risks (SBOMs, signing, provenance) and secrets management.
• Applied knowledge of OWASP ASVS/Top 10, CIS Benchmarks, basic cryptography, least privilege/RBAC.

Required Skills

• Experience with policy-as-code (OPA/Rego, Conftest), Kyverno rules.
• Familiarity with Microsoft Defender for Cloud / Defender for DevOps or cloud provider equivalents.
• Runtime/container security (Falco, eBPF-based detection).
• Cloud security posture tools (e.g., Prisma Cloud, Wiz, Defender for Cloud).
• Threat modeling (STRIDE/PASTA) and attack simulation in CI ephemeral environment.
• Exposure to ISO 27001 Annex A for SDLC.

```