Staff Security Engineer (DevOps Integrations)

About The Position

Requirements

• Bachelor's degree in computer science (preferred), information assurance, MIS or related field, or equivalent.
• 7+ years of security and systems administration-related experience, to include 3+ years of related cloud and security engineering experience.
• Experience with operations and security across Amazon Web Services (AWS) and/or Google Cloud Platform (GCP).
• Experience with agile workflows, including Scrum and Kanban.
• Understanding of containers (e.g., Docker) and container orchestration (e.g., Docker Swarm, Kubernetes).
• Proficient in securing Windows and nix operating systems, endpoint applications, networking protocols and devices.
• Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface while performing rapid, continuous implementation.
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and (SLDC).
• Knowledge of Payment Card Industry (PCI), Health Information Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), National Institute of Standards (NIST) or International Standards Organization (ISO) requirements.
• Self-starter mentality requiring minimal supervision.
• Analytical and problem-solving abilities with a proactive, risk-based approach.
• Highly organized and efficient.
• Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.
• Strong internal service minded, to provide support to all teams and leadership.
• Adaptability to handle dynamic and challenging environments.
• Energetic, resourceful, and appropriate work intensity to get the work done.
• Strong people acumen and relationship skills.

Nice To Haves

• Experience in healthcare or digital health is a plus.

Responsibilities

• Build relationships with developers and stakeholders to incorporate security principles into engineering design and deployments.
• Supervise validation in security controls and testing across projects, using SAST, DAST, IAST and RASP tools, documenting any security findings, outlining remediation options and overseeing mitigation.
• Oversee implementation of defensive practices and countermeasures across infrastructure and applications.
• Draft and uphold CI/CD security strategy and practices in tandem with other technical team leads.
• Lead continuous product and application security reviews, focused on secure development practices, threat modeling, vulnerability management, architecture and application security design.
• Ensure security principles and validations are consistently implemented throughout the CI/CD pipeline by embedding robust, security-focused practices into all automation processes.
• Attend and participate in product meetings addressing security requirements for new and existing products.
• Build services and tools to enable developers and engineers to use security components successfully.
• Simplify automation that applies security inter-workings with CI/CD pipelines.
• Support the ability to “shift left” and incorporate security early on and throughout the development lifecycle.
• Communicate vulnerability results to both technical and non-technical stakeholders, focused on risk tolerance and threat to the business, in order to gain support through influential messaging.
• Leverage vulnerability database sources to understand the weakness, probability and remediation options supplied by vendors.
• Join forces and provision security principles in architecture, infrastructure and code.
• Regularly research and learn new tactics, techniques and procedures (TTPs).
• Partner with teams to define key performance indicators (KPIs) and metrics across business units.
• Ensure regulatory compliance (e.g., PCI, HIPAA, HITRUST, NIST CSF) through effective security controls and processes.
• Other duties as assigned.