The DevSecOps engineer is an advanced role to help support, secure, manage and deploy solutions that support business objectives. The role is highly technical, and candidates must possess a solid understanding of information security, infrastructure, software and various operating systems. The role also requires an understanding of business goals/strategy and operational requirements in a fast-paced environment. The DevSecOps engineer supports continuous integration and continuous deployment (CI/CD) initiatives and is an integrated team member working with software developers, system engineers, cybersecurity engineers and systems administrators. At times, the DevSecOps engineer acts as a liaison with business stakeholders to understand the strategy and execution outlook. The role is heavily security-focused and ingrained in the CI/CD pipeline automation to deliver security principles and validation at all times. The DevSecOps Engineer is responsible to develop and implement DevSecOps as a service offering to the enterprise and customers.

Roles and Responsibilities:

• Lead the development and implementation of DevSecOps practices within the company and extend them as a customer service, integrating security, development, and operations for secure and efficient software delivery. 
• Build relationships with developers, stakeholders and scrum masters to incorporate security principles into engineering design and deployments. 
• Supervise testing and validation in application security controls across projects. 
• Oversee implementation of defensive practices and countermeasures across infrastructure and applications. 
• Draft and uphold CI/CD security strategy and practices in tandem with other technical team leads. 
• Serve as a point of contact for security-based escalations and remain tightly involved through resolution. 
• Build services and tools to enable developers and engineers to easily use security components produced by application security team members. 
• Simplify automation that applies security inter-workings with CI/CD pipelines. 
• Enrich DevOps architecture with security standards and best practices. 
• Support the ability to “shift left” and incorporate security early on and throughout the development lifecycle with risk assessments, architecture reviews and threat modeling. 
• Identify vulnerabilities in code through automated and manual assessments (SAST, DAST, IAST, RASP, and SCA tools), and promote quick remediation.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging. 
• Leverage vulnerability database sources to understand the weakness, probability and remediation options supplied by vendors as well as workarounds. 
• Join forces and provision security principles in architecture, infrastructure and code. 
• Regularly research and learn new tactics, techniques and procedures (TTPs) in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary through the CI/CD pipeline. 
• Partner with teams to define key performance indicators (KPIs) and metrics across business units. 
• Share lessons and takeaways from engagements to improve practice competencies. 
• Openly support the organisation, management and executive leadership team always. 
• Perform other duties as assigned

• Experience with SCA, SAST, DAST, IAST and RASP. 
• Experience with public cloud providers (AWS, Azure, GCP).
• Proficient in securing Windows and *nix operating systems, endpoint applications, networking protocols and devices.
• Experience with container security, such as Docker and Kubernetes. 
• Knowledge of CI/CD platforms, such as Jenkins and CircleCI. 
• Experience building prototypes of tools and exploits, as well as conducting vulnerability and penetration tests. 
• Proficiency in software development (Java, Rust, Golang, Python, C++, Ruby, etc.). 
• Experience with security requirements for APIs. 
• Knowledge of General Data Protection Regulation (GDPR), Payment Card Industry (PCI), National Institute of Standards (NIST) or International Standards Organization (ISO) requirements. 
• Preferable to have one or more of the following certifications: GWAPT, GWEB, GCSA, CISSP, CSSLP 
• Exceptional project management skills and capable of managing complex and lengthy engagements. 
• Aptitude for technical writing, combined with outstanding business acumen and communication skills. 
• Effective presentation skills, capable to delivering findings, risk and recommendations to stakeholders. 
• High degree of integrity, trustworthiness and confidence; represents the company and its management team with the highest level of professionalism.
• Written and verbal proficiency in English and Nepali languages.

• Bachelor's degree in Computer Science, Information Technology, or a related field.
• Five to Seven years’ experience in information technology, information security administration or security operations.
• Three or more years of experience in cybersecurity with a product and application security engineering background.