Lead DevSecOps & Compliance Engineer

About The Position

Requirements

• Demonstrated experience implementing and maintaining Azure infrastructure in production, including AKS and Mission Landing Zones (MLZs).
• Strong AKS operations experience: upgrades, node pools, ingress, RBAC/Entra ID, policy enforcement, and observability.
• MLZ/landing zone governance: management groups, Azure Policy, hub-and-spoke networking, identity integration, and private networking patterns.
• Experience securing and operating Azure Database for PostgreSQL Flexible Server (networking/private access, backups/restore, HA, and hardening).
• Experience deploying and securing RabbitMQ (TLS, access control, monitoring/alerting, and operational maintenance).
• 7+ years of experience in DevSecOps, cloud security, infrastructure security, or platform security for production systems.
• Hands-on experience with CI/CD pipeline security (e.g., GitHub Actions, GitLab CI/CD, Bitbucket Pipelines) and automated security testing (SAST/DAST/SCA/SBOM).
• Hands-on experience with Azure security foundations, including: Entra ID, VNets/NSGs, Private Link, Key Vault, and Azure Monitor/Log Analytics.
• Proven experience mapping technical controls to federal compliance frameworks (e.g., NIST 800-53, FedRAMP; plus FIAR/NDAA where applicable).
• Bachelor’s degree in Cybersecurity, Computer Science, Software Engineering, or a related technical field.
• CISSP, CISM, or equivalent senior-level cybersecurity certification.

Nice To Haves

• Policy-as-code frameworks and admission controls (OPA/Gatekeeper, Azure Policy for Kubernetes, Sentinel).
• Secure software supply chain tooling (e.g.,Sigstore/Cosign, in-toto, provenance/attestation).
• Cloud-native security tooling and posture management:
• Azure: Defender for Cloud, Azure Policy, Azure Monitor
• AWS (desired): AWS Config, GuardDuty, Inspector
• Observability platforms and practices: OpenTelemetry, Prometheus, ELK/Splunk, alerting and SLOs.
• Experience operating secure AWS infrastructure and workloads, including:
• ECS, CloudWatch, IAM, VPC, Secrets Manager (and related security controls/patterns)
• Familiarity with multi-cloud governance approaches and translating controls across Azure and AWS.
• Infrastructure-as-code beyond Terraform (Azure Bicep) and secure module patterns.
• Azure networking fundamentals (NSGs, route tables, hub-and-spoke, firewall/egress/ingress patterns).
• Experience with AI/ML security practices or secure metadata handling for model pipelines.
• Strong understanding of Zero Trust architectures and service-to-service identity enforcement.

Responsibilities

• Azure Platform Security Engineering (AKS + MLZ)
• Design, implement, and maintain secure Azure infrastructure in production, including AKS and Mission Landing Zones (MLZs).
• Operate AKS securely (upgrades, node pools, ingress, RBAC/Entra ID integration, network policies, and observability).
• Implement and enforce MLZ/landing zone guardrails (management groups, Azure Policy, hub-and-spoke networking, private networking patterns, and identity integration).
• Secure CI/CD & Software Supply Chain
• Integrate and enforce security scanning within CI/CD pipelines (SAST, DAST, SCA, SBOM generation).
• Implement gated releases and release verification, including artifact integrity and provenance controls (e.g., signing/attestation where applicable).
• Standardize secure build and deployment patterns for containerized workloads deployed to AKS (e.g., Helm and/orGitOps).
• Runtime Hardening & Container Security
• Harden containers and Kubernetes workloads using least privilege and defense-in-depth (Pod Security Standards, admission controls, secure baselines).
• Define runtime policy enforcement using tools such as OPA/Gatekeeper and Azure-native controls (Azure Policy for Kubernetes where applicable).
• Establish secure patterns for service-to-service communication and identity aligned to Zero Trust principles.
• Secrets, Identity, and Access Control
• Establish and maintain secure secrets management using Azure Key Vault (including access policies/RBAC, rotation patterns, and operational safeguards).
• Enforce least-privilege access and secure authentication patterns (OAuth2, OIDC, JWT) across platform services and automation.
• Compliance Automation, Evidence, and Audit Readiness
• Map technical controls to federal frameworks (e.g., NIST 800-53, FedRAMP, FIAR/NDAA as applicable) and drive continuous evidence generation.
• Define and enforce policy-as-code and compliance-as-code standards using Terraform and/or Azure-native policy tooling.
• Support audit readiness reviews and produce control evidence artifacts (automated where possible).
• Security Operations & Vulnerability Management
• Implement vulnerability detection and remediation workflows (CVE/CVSS triage, prioritization, SLA tracking, and reporting).
• Centralize logging and monitoring using Azure Monitor / Log Analytics, including retention, alerting, and traceability for audit evidence.
• Collaborate with engineering teams to remediate findings and reduce recurrence through standards and automation.
• Governance, Coordination, and Mentorship
• Collaborate with the Technical Lead (Enterprise Technical Authority) and Program/Project Manager to define security priorities, operational standards, and delivery guardrails.
• Mentor engineering and platform teams on secure development practices, compliance alignment, and operational excellence.

Benefits

• Paid time off
• 10 paid holidays
• Medical insurance
• Dental insurance
• Vision insurance
• Legal assistance
• Company-paid life insurance and AD&D
• Company-paid long term and short-term disability insurance
• Tuition reimbursement
• 401(k) plan with company contribution
• Continuing Education Opportunities