DevSecOps Engineer

At Authorium, a DevSecOps Engineer is responsible for integrating security measures within the CI/CD pipeline, managing vulnerability scanning tools, conducting security reviews of code, and engineering secure infrastructure on AWS using technologies like Terraform. The role emphasizes close collaboration with development and security teams to ensure application security while responding to potential threats proactively.

To apply for the DevSecOps Engineer position at Authorium, you should have a Bachelor’s degree in Information Security, Computer Science, or a related field, or equivalent work experience. Additionally, a minimum of two years in information security and familiarity with compliance frameworks like FedRAMP/StateRAMP is essential. Strong communication and analytical skills are also crucial for this role.

A DevSecOps Engineer at Authorium will work extensively with a range of tools including AWS Security Hub, Amazon GuardDuty, Terraform for infrastructure as code, and CI/CD tools like CircleCI and GitHub Actions. Familiarity with scripting languages such as Python or Bash and knowledge of security controls within the AWS ecosystem are also highly beneficial.

The work environment for a DevSecOps Engineer at Authorium is fully remote, providing flexibility and work-life balance. The team is collaborative and supportive, focusing on integrating security best practices and continuous improvement in a dynamic and evolving tech landscape.

Authorium offers an appealing benefits package for its DevSecOps Engineers, including a competitive salary range of $145,000-$155,000, 100% employer-funded medical, dental, and vision insurance, flexible PTO, a $500 home office stipend for remote work, and a 401K with a Profit Sharing Plan to help secure your financial future.

When integrating security into the CI/CD pipeline, I focus on automating security testing using tools like SAST and DAST. I ensure that vulnerabilities are identified early by incorporating scanning tools within the process. Additionally, I promote communication between development and security teams to instill a security-first mindset throughout the software lifecycle.

Infrastructure as Code (IaC) is an approach where infrastructure is provisioned and managed using code rather than manual processes. This allows for automation, version control, and consistency across deployments. In my experience with IaC, I've successfully utilized Terraform on AWS, allowing rapid infrastructure delivery while maintaining security best practices.

For effective vulnerability management, I adopt a proactive approach that includes continuous scanning and assessment of systems, prioritizing vulnerabilities based on risk, and collaborating with development teams to remediate issues swiftly. Regularly reviewing findings and implementing automated fixes is key to maintaining a secure environment.

The principle of least privilege entails granting users only the permissions they need to perform their job functions. This minimizes the potential attack surface and limits access to sensitive information. In practice, I assess roles and responsibilities regularly to ensure compliance with this principle within cloud environments, especially when configuring IAM roles.

Responding to security incidents involves having a well-defined incident response plan in place. Initially, I assess the situation to determine the scope and impact, then engage the necessary stakeholders for assessment and resolution. Post-incident, I analyze the situation to improve security measures, ensuring that similar incidents can be prevented in the future.

My experience with AWS security tools includes using AWS Security Hub to centralize security management, Amazon GuardDuty for threat detection, and AWS WAF to protect against common web exploits. I utilize these tools to monitor security metrics and maintain compliance with industry standards.

To stay current in the DevSecOps field, I engage with online training, attend conferences, and participate in community forums. I regularly review industry blogs and publications that focus on emerging trends and tools to ensure that our practices remain cutting-edge and effective.

Collaboration between development and security teams has been a fundamental part of my experience. I foster open communication channels to align security practices early in the development process. Conducting training sessions and security workshops has proven effective in embedding a security-first culture across teams.

Defense in Depth is a layered security strategy that involves implementing multiple security controls throughout the IT environment. This approach ensures that if one security control fails, additional layers provide backup defenses. I apply this principle by leveraging various security technologies and procedures, enhancing the overall security posture.

I am well-versed in using scripting languages such as Python and Bash to automate various tasks within the DevSecOps workflow. These scripts help me streamline processes like vulnerability scans, configuration management, and reporting, allowing for quicker responses to security issues.