DevSecOps Engineer - Sandton at Discovery Limited

About the role

As a Senior DevSecOps Engineer, you will be responsible for integrating security into the development, deployment, and maintenance of our software products, ensuring the highest standards of security and reliability.

Key Outputs / Job Responsibilities may include but are not limited to:

• Develop and implement security solutions throughout the software development lifecycle, from design to deployment and maintenance, using methodologies such as STRIDE, DREAD, CVSS, and the OWASP ASVS.
• Work closely with developers, IT operations, and security governance and operations teams to ensure security is integrated into all aspects of the development pipeline.
• Automate security processes and tools to enable continuous integration, continuous delivery, and continuous monitoring (CI/CD/CM) of applications and infrastructure.
• Develop and implement metrics, reporting, and monitoring processes to track the effectiveness of DevSecOps practices, using tools like Dynatrace, ELK, Splunk, AWS CloudWatch and Sonatype Examples of metrics include vulnerability remediation times, security incidents, and code review coverage.
• Establish a governance, review, and continuous improvement process for DevSecOps practices, ensuring alignment with organizational goals and industry best practices.
• Perform risk assessments and threat modelling to identify potential vulnerabilities and provide recommendations for mitigation strategies.
• Develop and enforce security policies and guidelines for application and infrastructure development, based on industry best practices and standards such as OWASP Top Ten, CWE/SANS Top 25, NIST SP 800-53, and OWASP ASVS.
• Train and mentor developers in secure coding practices, emphasizing areas such as input validation, output encoding, and least privilege principles, as well as conducting regular security awareness sessions.
• Conduct regular security audits, vulnerability assessments, and penetration tests to identify and remediate potential threats.
• Stay current with industry trends, emerging threats, and best practices in DevSecOps to continuously improve our security posture.
• Develop and maintain documentation related to security practices, policies, and procedures.

Work Experience

• 3-5 years of relevant Cloud Engineer experience

Education / Qualifications / Accreditations with Professional Body

• Bachelor's degree in Computer Science, Engineering, Information Systems, or a related field.

Preferred (would be advantageous)

• Relevant certifications such as CISSP, CEH, or OSCP are a plus.
• AWS Cloud Engineer/Practitioner certification

Technical Skills or Knowledge

• Strong understanding of software development processes, CI/CD principles, and Agile methodologies.
• Expertise in various security frameworks, tools, and technologies such as OWASP, SAST, DAST, IAST, RASP, and familiarity with toolsets such as SonarQube, Veracode, Checkmarx, and Fortify.
• Proficient in scripting languages such as Python, Ruby, or Shell.
• Experience with containerization and orchestration technologies, such as Docker and Kubernetes.
• Familiarity with cloud platforms (AWS, Azure, GCP) and their respective security services and tools.
• Knowledge of networking protocols, firewalls, intrusion detection systems, and encryption technologies.
• Strong analytical, problem-solving, and communication skills. Software Development: This includes proficiency in programming languages such as Python, Java, JavaScript, or C#, as well as familiarity with software development methodologies like Agile or DevOps.
• Security Knowledge: They should be familiar with security frameworks such as OWASP (Open Web Application Security Project) and have experience in implementing security controls and practices within software development processes.
• DevOps Practices: This includes experience with continuous integration and continuous deployment (CI/CD) pipelines, configuration management tools like Ansible or Chef, containerization technologies such as Docker or Kubernetes, and infrastructure-as-code (IaC) tools like Terraform or CloudFormation.
• Security Tools and Technologies: This may include vulnerability scanning tools like Nessus or Qualys, security testing frameworks such as Burp Suite or ZAP, security information and event management (SIEM) tools like Splunk or ELK stack, and other relevant security tools.
• Cloud Computing: Experience with cloud security best practices, configuring and securing cloud resources, and managing cloud-based deployments is highly valuable.