CYBER SECURITY DEVSECOPS SPECIALIST

Job Description

ROLE PURPOSE

The DevSecOps Specialist will be crucial in integrating security practices within the DevOps process, ensuring our organisation's software and infrastructure are safeguarded from evolving cyber threats.

Key accountabilities

• The primary responsibility of the DevSecOps Specialist will be to identify security risks through threat modelling, develop robust mitigation strategies, and implement advanced security measures throughout the software development lifecycle.
• Key duties include application threat modelling, assessing code and applications to ensure they are vulnerability-free before being shipped to production environments in alignment with the organisation's Secure-by-Design framework.
• Responsibilities will also encompass maintaining the security of application or APIs throughout the product lifecycle, consistent with the DevSecOps continuum and internal security standards.
• Additional tasks involve monitoring and securing the CI/CD pipeline, conducting comprehensive security audits, responding to and investigating security incidents, and establishing/enforcing stringent security protocols.
• Furthermore, the DevSecOps Specialist will provide security expertise to development and operations teams, fostering a culture of security awareness and adherence to best practices.
  Staying current on the latest cyber threats and security technologies is essential for effectively protecting the organisation's assets.
• Proficiency in fundamental programming languages such as JavaScript (React JS, Next JS, Angular JS), Node JS, Golang, Python and Java is a prerequisite. Additionally, C++, C#, scripting skills in Bash and PowerShell are considered a plus.
• Experience with cloud platforms like AWS, Azure, Google Cloud Platform (GCP), and IBM Cloud is essential, along with an understanding of cloud security best practices relevant to these environments.
• Knowledge of containerization and orchestration solutions, including Docker, Kubernetes, and OpenShift, is important. An appreciation of the security aspects of containerization, such as image scanning and runtime security, is highly valued.
• Candidates should have exposure to CI/CD pipeline tools like Jenkins, GitHub Actions GitLab CI/CD, CircleCI, and Travis CI and experience integrating security into CI/CD pipelines.
  Knowledge of Infrastructure as Code (IaC) using tools like Terraform, CloudFormation, Ansible, Chef, and Puppet is necessary, with a desirable understanding of security practices in IaC environments.
• Extensive exposure to security tools and technologies is required. This includes Static Application Security Testing (SAST) tools like SonarQube and Checkmarx, Dynamic Application Security Testing (DAST) tools like OWASP ZAP and Burp Suite, Software Composition Analysis (SCA) tools like WhiteSource (Mend.io) and Snyk, and Runtime Application Self-Protection (RASP) tools.
• A solid appreciation of network security, including firewalls, VPNs, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS), is essential. An understanding of network protocols and security, such as TCP/IP, HTTP/HTTPS, Network zoning model and SSL/TLS, is also important.
• An understanding of threat modelling and vulnerability management is required, as well as experience using tools like the Microsoft Threat Modeling Tool, OWASP Threat Dragon, and vulnerability scanners like Nessus and Qualys.
• The ability to implement application monitoring and logging tools like Splunk, the ELK Stack (Elasticsearch, Logstash, Kibana), Prometheus, and Grafana is necessary.

CORE RESPONSIBILITIES MANAGEMENTS

• Knowledge of integrating with Security Information and Event Management (SIEM) tools is also desirable.
• Some exposure to Identity and Access Management (IAM) tools like Okta, Auth0, AWS IAM, and Azure AD is preferred. Knowledge of Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) is critical.
• An understanding of databases, including relational databases like Oracle, MySQL, PostgreSQL, and SQL Server, is preferred and NoSQL database as well such as MongoDB and Kassandra DB. This includes the ability to construct efficient queries, optimize database performance, and ensure data integrity and security.
• Additionally, a good understanding of secure development and assessment of application programmable interfaces (APIs) is a critical skill.
• This involves knowledge of RESTful and SOAP APIs, implementing secure API authentication and authorization mechanisms, and conducting regular security assessments to identify and mitigate potential vulnerabilities

QUALIFICATION AND EXPERIENCE

• Minimum of 3-5 years of experience in Cyber Security
• Bachelor's degree in computer science, information technology, cyber security, or a related field.
• Security-related certifications such as DevOps Institute's DevSecOps Foundation; Certified Kubernetes Security Specialist (CKS); AWS, Azure, or GCP Certified DevOps Engineer
• Candidates should have a strong knowledge of cyber security principles and best practices.
• Exposure to DevSecOps Standards and Frameworks such as NIST Cybersecurity Framework (CSF), ISO/IEC 27001, CIS Controls, and OWASP Top Ten.
• Candidates must be well-versed in DevOps and DevSecOps frameworks, such as the DevOps Institute's DevSecOps Foundation, and thoroughly understand Continuous Integration and Continuous Delivery (CI/CD) best practices.
• Candidates are expected to have strong collaboration and communication skills, with the ability to work effectively across development, operations, and security teams.
• They must also be capable of articulating security findings and recommendations clearly.
• Problem-solving and critical thinking are essential, including analytical skills to identify security vulnerabilities and threats and strategic thinking to implement effective security solutions.
• Project management skills are a plus, including the ability to manage multiple projects, prioritize tasks, and a familiarity with Agile methodologies and tools like Jira.
• Continuous learning is required, emphasizing staying up to date with the latest security trends, threats, and technologies.
• This includes participation in relevant training, certifications, and conferences.
• Excellent communication skills [French and English]