Founding DevSecOps Engineer

As a Founding DevSecOps Engineer at MetalBear, you will be responsible for maintaining and improving our Infrastructure as Code setup, overseeing security architecture, leading certification efforts like ISO 27001 and SOC 2, and continuously enhancing our security posture. Additionally, you’ll design and maintain CI/CD pipelines to ensure streamlined deployment and development workflows.

The ideal candidate for the Founding DevSecOps Engineer role at MetalBear should possess strong experience with Infrastructure as Code tools (like Terraform or Pulumi), a solid understanding of cloud platforms (AWS, GCP, Azure), along with knowledge of security frameworks and compliance standards such as ISO 27001 and SOC 2. Proficiency in scripting languages and experience with CI/CD tools are also crucial for success in this position.

The Founding DevSecOps Engineer at MetalBear plays a crucial role in ensuring our compliance with security standards. This includes leading certification efforts and implementing best practices in cloud security while continuously assessing and enhancing our security posture across infrastructure and applications, thereby safeguarding our products and services.

At MetalBear, a Founding DevSecOps Engineer should be well-versed in Infrastructure as Code tools like Terraform and Pulumi, cloud platforms including AWS, GCP, and Azure, as well as CI/CD pipelines management through platforms such as GitHub Actions and GitLab CI. Familiarity with containerization technologies like Docker and orchestration tools like Kubernetes is also beneficial.

The environment at MetalBear is dynamic and collaborative, fostering innovation and open communication. As a Founding DevSecOps Engineer, you’ll work closely with the brilliant team behind mirrord, contributing to a culture of continuous improvement and excellence in developing cloud-native applications.

In your response, emphasize the importance of reliability, scalability, and security within IaC setups. Include examples of IaC tools you’ve used, such as Terraform or Pulumi, and discuss how you ensure compliance and security best practices during implementation.

Outline your knowledge of different cloud security frameworks like ISO 27001 and SOC 2. You can mention past experiences where you successfully implemented these frameworks and how they benefitted the organization by enhancing its security posture.

Discuss specific strategies you've employed, such as automating testing or integrating security checks into the CI/CD pipeline. Highlight tools you've used like GitHub Actions or GitLab CI and share measurable results from improvements you've made.

In your answer, describe your methodology for assessing security, including threat modeling and vulnerability assessments. Share any tools you utilize for this purpose, and provide an example of a successful assessment you conducted in previous roles.

Reflect on specific challenges faced regarding security architecture, whether from compliance requirements or evolving threats. Use this opportunity to highlight your problem-solving skills and how you overcame these challenges effectively.

Explain how automation is integral to your DevSecOps workflow, detailing aspects like compliance automation, CI/CD pipeline automation, and security checks. Discuss how automation leads to efficiency and security improvements.

Use this chance to share a case where you led a threat modeling session. Describe the process, the tools used, and the outcomes, emphasizing critical threats identified and mitigation strategies formulated.

Discuss your experience with scripting languages like Python or Bash. Explain why you prefer these languages, giving examples of how they've helped you automate tasks or solve complex problems in past roles.

Share your methods for staying informed, whether through online courses, industry blogs, podcasts, or community networking. Highlight your commitment to continuous learning and how you apply new information to your work.

Articulate your belief in fostering strong collaboration between development and security. Discuss practices like including security in the development lifecycle and encouraging open dialogue to enhance overall security effectiveness.