Jr DevSecOps Engineer

About The Position

Requirements

• 1–3 years of experience in a DevOps, DevSecOps, software engineering, or security engineering role — or a strong equivalent: relevant degree with a security or cloud focus, security internships, or demonstrable personal/open-source projects that show hands-on depth.
• Working knowledge of at least one major cloud platform (AWS or Azure). You understand IAM, compute, storage, and networking basics and have built or deployed something real in it.
• Hands-on Terraform experience: can read and write modules, understand state, and debug basic provider errors. You don't need to be an expert — you need to be functional and willing to grow.
• Scripting ability in Python or Bash: can write a functional automation script from scratch.
• Basic CI/CD fluency: understand pipeline stages, artifact handling, environment variables, and why secrets don't belong in code.
• Foundational security knowledge: OWASP Top 10, common vulnerability classes (injection, broken auth, misconfigurations), and how they show up in real systems.
• Core networking concepts: TCP/IP, DNS, TLS/HTTPS, VPCs, subnets, security groups, firewalls — enough to read a network diagram and ask the right questions.
• Someone who communicates clearly in writing, asks good questions, and doesn't wait to be told something is broken.

Nice To Haves

• Hub Actions experience: has written or modified a real workflow, not just clicked "re-run."
• Microsoft Sentinel or any SIEM exposure: run a query, investigated an alert, created a basic rule.
• Container basics: Docker, understands image layers, has run an image scan.
• Any active or in-progress certification: CompTIA Security+, AZ-900, AZ-500, AWS Cloud Practitioner, AWS Security Specialty.
• Exposure to compliance or audit processes — SOC 2, PCI-DSS, or any regulated environment — even as a junior participant.
• Familiarity with OSFI B-13 or Canadian financial services regulatory context.
• Exposure to identity and access concepts: OAuth 2.0, OIDC, SAML, or workload identity — even at a "I know what these are" level.

Responsibilities

• Build and maintain security integrations within CI/CD pipelines: SAST/DAST tooling, secrets scanning, dependency checks, and container image scanning.
• Write and maintain Terraform modules under senior review: contribute to the IaC library, fix drift, and help enforce module standards.
• Automate security tasks in Python and Bash: evidence collection scripts, alert enrichment, scheduled scans, and reporting automation.
• Support the supply-chain security program: SBOM generation, dependency pinning, and build artifact management.
• Help implement and maintain policy-as-code configurations — learning enforcement patterns at PR-time, pipeline-time, and deploy-time.
• Maintain and improve runbooks for the team's operational procedures and on-call scenarios.
• Monitor and triage security alerts from Microsoft Sentinel, AWS Security Hub, and Azure Defender for Cloud under senior guidance.
• Contribute to incident response investigations: log analysis, timeline reconstruction, and evidence handling.
• Help tune detection rules and reduce alert noise — learn to write and modify KQL queries in Sentinel.
• Support audit evidence collection: run API-based artifact pulls, validate completeness, and maintain evidence repositories.
• Participate in vulnerability management: track scan results, validate remediations, and update the risk register with senior oversight.
• Shadow the Senior DevSecOps Engineer on architecture decisions, threat modeling sessions, and stakeholder conversations.
• Work toward a defined certification path as part of your development plan (examples: AZ-500, AWS Security Specialty).
• Join the on-call rotation progressively: start as a shadow, then, then independent as your readiness grows.
• Contribute to team documentation and the Security Centre of Excellence knowledge base.
• Bring questions. This team runs blameless retros and expects engineers at every level to flag what they don't understand.

Benefits

• Competitive salaries
• profit sharing
• RRSP matching
• benefits from day one
• Generous paid time off
• A strengths-based approach
• A commitment to your well-being in five key areas: Financial, Physical, Social, Career, and Community.