Sr devsecops application security consultant

Posted: April 27, 2021, 10:43 a.m. - Full Time - Remote

What you'll do:

  • Understand technical architecture diagrams of client's infrastructure (both on-prem and cloud) to derive contextual awareness of the entire IT infrastructure.
  • Perform Risk analysis, Gap Analysis and Threat Modelling post understanding of the client's infrastructure/application with proper contextual awareness.
  • Create Data flow diagrams and Risk models as deliverables.
  • Provide recommendations and mitigation strategies to clients with proper contextual awareness.
  • Assist clients to codify and automate traditional security processes to take humans out of the equation making security controls consumable as a service.
  • Build security controls to enforce baseline security guidance into the Continuous Integration and Deployment (CI/CD) pipeline to prevent security misconfigurations and vulnerabilities before they occur.
  • Advise clients on various tools and evaluate/understand the tools used in the client infrastructure.
  • Integrating processes like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing) , SCA (Software Composition Analysis), Securing of Infrastructure as Code (IaC) technologies like Docker, Kubernetes either using open source tools or using any existing tools used by the clients
  • Advise and implement automation security tools and techniques to align client's security posture with their policies.
  • Write, Automate and Manage security test cases using continuous integration/deployment (CI/CD) processes and tools such as Jenkins, Ansible, Packer, and CodeDeploy.
  • Automate Elastic log ingestion pipelines for reporting, dashboarding & alerting.
  • Perform security review against CIS benchmarks and security best practices of technologies like Docker, Kubernetes, Cloud (AWS+GCP+Azure), WebServers, Database Servers.
  • Assist with content development for various training and workshops.
  • Deliver trainings and workshops on behalf of NotSoSecure (Optional).

What you will need to succeed:

  • Hands on experience with DevOps tools Jenkins, Ansible, Docker , Kubernetes , Github Actions.
  • Hands on experience in Continuous Integration/Deployment (CI/CD) and Software tools development experience (Python and shell scripts, database queries, web development).
  • Experience with code scanning (SAST, DAST) tools for C/C++, Java, and Python languages and relevant frameworks.
  • Ability to support both Windows and Linux environments but must be strong in Linux (RHEL, CentOS, Ubuntu).
  • Knowledge and experience using cloud orchestration tools such as AWS CloudFormation and Terraform.
  • Knowledge and experience using server automation and cluster management using Kubernetes, Dockers, etc.
  • Experience with AWS services (EC2, lambda, S3, ELB,, Route53, CloudWatch, CloudTrail) - Preferred but not required
  • Strong understanding of security concepts, standard methodologies and how to apply them, such as SSH, public key encryption, access credentials, certificates, TLS and data encryption.
  • Excellent communication skills (written and verbal) with an ability to explain complex topics in a clear and concise manner to both technical and non-technical audiences
  • Software Development Experience (plus)
  • Security Automation Experience (plus)

What we offer you:

  • Competitive compensation packages
  • Paid parental leave
  • Paid medical leave
  • Paid annual leave
  • Employer matched EPF contribution (separate from salary package)
  • Employer-paid High-quality individual and family medical insurance
  • Other benefits
  • Highly challenging environment with unmatched growth potential