DevSecOps Tech Lead

Vanguard•Malvern, PA

1d•Hybrid

About The Position

Lead the design and execution of enterprise-wide Software Composition Analysis (SCA) and software supply chain security strategy across all applications and platforms. Own end-to-end open-source risk management, including vulnerability detection, prioritization, and remediation of third-party dependencies. Define and enforce security policies aligned with industry standards such as OWASP and NIST (SSDF), ensuring secure software development practices. Integrate SCA tooling into CI/CD pipelines and developer workflows to enable automated, shift-left security controls. Drive implementation and adoption of Software Bill of Materials (SBOM) standards (e.g., Cyclone,DX, SPDX) for full dependency visibility. Secure the software supply chain by implementing controls for artifact integrity, provenance, and signed builds, aligned with OpenSSF frameworks (e.g., SLSA). Lead response and mitigation efforts for critical supply chain vulnerabilities (e.g., zero-day dependency risks), ensuring rapid impact analysis and remediation. Establish governance over artifact repositories and package registries, enforcing version control, trusted sources, and secure publishing practices. Define and track key security metrics (e.g., vulnerability MTTR, coverage, policy compliance) and present insights to senior leadership. Mentor a team of security engineers while partnering with engineering, DevOps, and product teams to drive scalable, developer-friendly security solutions.

Requirements

Bachelor’s degree in a related field or equivalent experience
Hands-on experience deploying and operating SCA/SAST tools, including onboarding, auth setup, and CI/CD integration
Experience with additional AppSec tools (Secret Scanning, IAST, DAST, etc.)
Strong understanding of modern application development and delivery (IDEs, repos, CI/CD, cloud, containers, serverless)
Working knowledge of NIST, OWASP, and MITRE frameworks

Nice To Haves

AppSec, DevSecOps, cloud, or development certifications a plus

Responsibilities

Lead the design and execution of enterprise-wide Software Composition Analysis (SCA) and software supply chain security strategy across all applications and platforms.
Own end-to-end open-source risk management, including vulnerability detection, prioritization, and remediation of third-party dependencies.
Define and enforce security policies aligned with industry standards such as OWASP and NIST (SSDF), ensuring secure software development practices.
Integrate SCA tooling into CI/CD pipelines and developer workflows to enable automated, shift-left security controls.
Drive implementation and adoption of Software Bill of Materials (SBOM) standards (e.g., Cyclone,DX, SPDX) for full dependency visibility.
Secure the software supply chain by implementing controls for artifact integrity, provenance, and signed builds, aligned with OpenSSF frameworks (e.g., SLSA).
Lead response and mitigation efforts for critical supply chain vulnerabilities (e.g., zero-day dependency risks), ensuring rapid impact analysis and remediation.
Establish governance over artifact repositories and package registries, enforcing version control, trusted sources, and secure publishing practices.
Define and track key security metrics (e.g., vulnerability MTTR, coverage, policy compliance) and present insights to senior leadership.
Mentor a team of security engineers while partnering with engineering, DevOps, and product teams to drive scalable, developer-friendly security solutions.