Sr devsecops application security consultantPosted: April 27, 2021, 10:43 a.m. - Full Time - Remote
What you'll do:
- Understand technical architecture diagrams of client's infrastructure (both on-prem and cloud) to derive contextual awareness of the entire IT infrastructure.
- Perform Risk analysis, Gap Analysis and Threat Modelling post understanding of the client's infrastructure/application with proper contextual awareness.
- Create Data flow diagrams and Risk models as deliverables.
- Provide recommendations and mitigation strategies to clients with proper contextual awareness.
- Assist clients to codify and automate traditional security processes to take humans out of the equation making security controls consumable as a service.
- Build security controls to enforce baseline security guidance into the Continuous Integration and Deployment (CI/CD) pipeline to prevent security misconfigurations and vulnerabilities before they occur.
- Advise clients on various tools and evaluate/understand the tools used in the client infrastructure.
- Integrating processes like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing) , SCA (Software Composition Analysis), Securing of Infrastructure as Code (IaC) technologies like Docker, Kubernetes either using open source tools or using any existing tools used by the clients
- Advise and implement automation security tools and techniques to align client's security posture with their policies.
- Write, Automate and Manage security test cases using continuous integration/deployment (CI/CD) processes and tools such as Jenkins, Ansible, Packer, and CodeDeploy.
- Automate Elastic log ingestion pipelines for reporting, dashboarding & alerting.
- Perform security review against CIS benchmarks and security best practices of technologies like Docker, Kubernetes, Cloud (AWS+GCP+Azure), WebServers, Database Servers.
- Assist with content development for various training and workshops.
- Deliver trainings and workshops on behalf of NotSoSecure (Optional).
What you will need to succeed:
- Hands on experience with DevOps tools Jenkins, Ansible, Docker , Kubernetes , Github Actions.
- Hands on experience in Continuous Integration/Deployment (CI/CD) and Software tools development experience (Python and shell scripts, database queries, web development).
- Experience with code scanning (SAST, DAST) tools for C/C++, Java, and Python languages and relevant frameworks.
- Ability to support both Windows and Linux environments but must be strong in Linux (RHEL, CentOS, Ubuntu).
- Knowledge and experience using cloud orchestration tools such as AWS CloudFormation and Terraform.
- Knowledge and experience using server automation and cluster management using Kubernetes, Dockers, etc.
- Experience with AWS services (EC2, lambda, S3, ELB,, Route53, CloudWatch, CloudTrail) - Preferred but not required
- Strong understanding of security concepts, standard methodologies and how to apply them, such as SSH, public key encryption, access credentials, certificates, TLS and data encryption.
- Excellent communication skills (written and verbal) with an ability to explain complex topics in a clear and concise manner to both technical and non-technical audiences
- Software Development Experience (plus)
- Security Automation Experience (plus)
What we offer you:
- Competitive compensation packages
- Paid parental leave
- Paid medical leave
- Paid annual leave
- Employer matched EPF contribution (separate from salary package)
- Employer-paid High-quality individual and family medical insurance
- Other benefits
- Highly challenging environment with unmatched growth potential