Security Engineer – DevSecOps

Job not on LinkedIn

November 26

Apply Now

Receive Emails with Similar Jobs

Jonas Software

WebsiteLinkedInAll Job Openings

Jonas Software is the leading provider of enterprise management software solutions to over 40 different vertical markets. Within these vertical markets, Jonas has acquired over 160 unique and innovative companies.

1001 - 5000 employees

📋 Description

• Own Security Automation • o Design, implement, and run the CI/CD security toolchain: SAST, SCA, DAST, container and IaC scanning, secrets detection, SBOM generation, and policy-as-code. • o Integrate scanners into GitHub/GitHub Actions pipelines with PR gates, and auto-ticketing to JIRA; tune noise, baselines, and break-glass rules. • o Establish vulnerability management SLAs, risk acceptance workflow, and metrics dashboards (e.g., MTTR, vuln burn-down). • Embed Security in the SDLC • o Create lightweight secure-coding standards and review checklists for TypeScript/Node, Java, Ruby, React. • o Run threat modeling (STRIDE/PASTA) and produce DFDs (L0–L2) for new and high-risk flows. • o Lead a “security champions” program with engineering squads. • Platform & Cloud Security (AWS/EKS) • o Harden EKS workloads (admission controls, pod security, image signing, runtime protection), ECR scanning, and supply-chain security. • o Implement and iterate on IAM least-privilege, KMS/CloudHSM key management, network segmentation, WAF/Shield, CloudFront, GuardDuty/Security Hub, and centralized logging. • o Validate service-to-service auth (mTLS, OIDC, JWT), secrets management (AWS Secrets Manager/SSM), and data protection at rest/in transit (FIPSvalidated crypto). • o Manage security certificate adoption our own and 3rd party across the company technology stack. • Compliance Automation • o Map controls and automate evidence for PCI DSS 4.0 (and SOC 2/ISO 27001 as needed): continuous monitoring, detector-to-control mappings, and audit-ready artifacts. • o Partner with compliance on policies, risk register, third-party/vendor assessments, and control testing cadence. • Penetration Testing & Response • o Scope and coordinate internal and third-party penetration tests (API, web, mobile, cloud); plan fix-verification and retests. • o Contribute to incident response playbooks, tabletop exercises, and forensics runbooks. • o Participate in incident response events and be a key contributor on improving security posture • Research & implement AI security tools: • o Evaluate and deploy AI/ML capabilities (LLM-assisted code reviews, AI triage for SAST/SCA/DAST, anomaly detection over logs/telemetry, drift detection) to reduce toil and increase signal quality—without leaking sensitive code or data. • Own outcomes & KPIs: • o Define baselines, instrument dashboards, and continuously tune models/policies to demonstrably improve detection efficacy, remediation speed, and compliance evidence quality. • Guardrails & governance: • o Establish safe-use patterns (PII redaction, repository allowlists, prompt/content controls, human-in-the-loop), document model/feature risks, and keep audit trails that map to PCI DSS 4.0 controls. • Automation & SOAR integration: • o Orchestrate AI-assisted enrichment and response (e.g., auto-labeling, deduplication, prioritization, suggested fixes/PRs) across CI/CD, SIEM, ticketing, and chat.

🎯 Requirements

• 8–10 years in application/cloud security or DevSecOps for high-availability platforms (fintech/payments ideal). • Hands-on DevSecOps program administration experience with Veracode. • Fluent in Terraform for the AWS Stack • Strong CI/CD experience (GitHub Actions preferred) and automation in Python/TypeScript/Bash. • Solid AWS security fundamentals: IAM, KMS, CloudTrail, Config, Security Hub, GuardDuty, VPC/LBs, WAF/Shield; Kubernetes/EKS hardening experience. • Familiarity with microservices, event-driven systems, and DDD; ability to read code in TypeScript/Java/Ruby and basic ReactJS patterns. • Working knowledge of PCI DSS 4.0 control objectives (tokenization/PAN handling, key management, segmentation, logging/retention), plus SOC 2/ISO 27001 concepts. • Clear communication with engineers and non-technical stakeholders; bias to automate and simplify. • Bonus Point: Payments domain exposure: EMV/3DS, PAN vaulting, network tokenization, P2PE, dispute/chargeback flows.