Cloud DevSecOps Lead

Overall objectives:

• Responsible for automating security controls within CI/CD pipelines, securing cloud and container environments, and ensuring compliance with industry standards.
• Responsible for integrating security seamlessly into the development and operations lifecycle.
• Possess a strong security mindset, proficient in automating security controls within CI/CD pipelines, securing cloud and container environments, and ensuring compliance with industry standards.
• Will work closely with cross-functional teams to ensure security is not an afterthought but a continuous focus throughout the software development lifecycle.

Technical Competencies:

• With experience integrating security into CI/CD pipelines (Jenkins, CircleCI and GitLab,).
• Deep knowledge of Cloud Security and Container Security best practices.
• Hands-on experience with Infrastructure as Code (IaC) security and automation.
• Proficient in Security Testing Tools such as Snyk, SonarQube, Checkmarx, or Fortify.
• Strong knowledge of IAM Best Practices and federated identity solutions.
• Experience implementing Security Compliance Frameworks (ISO 27001, NIST, CIS).
• Familiar with DevOps Toolchain Security including securing CI/CD tools and artifact repositories.

DevOps Toolchain Security

• Ensure Source Control Security best practices in Git repositories.
• Secure Artifact Repositories (Nexus, JFrog Artifactory) by ensuring signed artifacts and dependency integrity.
• Harden CI/CD tools like Jenkins, GitLab, and GitHub Actions against security risks.

Security Mindset and Knowledge

• Embed Security by Design into all phases of the development lifecycle.
• Perform Threat Modeling to anticipate vulnerabilities and enhance security defenses.
• Apply the OWASP Top 10 to secure web applications.
• Implement and enforce Security Policies and Frameworks (ISO 27001, NIST, CIS).
• Apply the Zero Trust Model in cloud and container environments.

Identity and Access Management (IAM)

• Implement IAM Best Practices including the principle of least privilege and role-based access control (RBAC).
• Manage Federated Identity using protocols like SAML, OAuth, or AWS Cognito.
• Secure secrets management tools like HashiCorp Vault or Secrets Manager.

Container and Cloud Security

• Secure containers using tools like Docker Bench for Security, Aqua, or Twistlock.
• Implement Kubernetes Security best practices such as RBAC, Network Policies, and secrets management.
• Ensure Cloud Security by leveraging native security tools such as but not limited to AWS GuardDuty, Azure Security Center, or GCP Security Command Center.

Automation & CI/CD Integration

• Integrate Automated Security Testing tools (SAST, DAST, SCA) into CI/CD pipelines.
• Perform Static and Dynamic Code Analysis using tools like Snyk and SonarQube. Automate security-focused code reviews and integrate them into the pipeline.
• Secure Infrastructure as Code (IaC) using tools like Terraform and CloudFormation.

Compliance and Governance Automation

• Implement Compliance as Code for standards like GDPR, HIPAA, or PCI DSS using tools such as Chef InSpec or OpenSCAP.
• Maintain and review Audit Trails for security events and incidents.
• Enforce security policies using tools like OPA (Open Policy Agent) and AWS Config

Risk Management and Security Assessments

• Conduct Risk Assessments to identify security vulnerabilities and threats.
• Continuously evaluate and enhance Security Posture to mitigate risks.
• Apply Security Controls as compensating measures when vulnerabilities cannot be immediately fixed.

Cloud-Native Security Services

• Implement and manage AWS/Azure/GCP Security Services like IAM, GuardDuty, and CloudTrail.
• Ensure Cloud Security Posture Management (CSPM) using tools like Prisma Cloud or Dome9.