Engineer III, Software

Job Title

Senior DevSecOps Engineer – SBOM, SAST & CI/CD Security Automation (6–10 years)

Job Description

We are seeking aSenior DevSecOps Engineer (6–10 years of experience)to lead security automation and tooling integration acrossMSD projects. This role will focus on embedding security controls into the software delivery lifecycles specificallySBOM generation and quality improvement, secret scanning, and SAST integration—and automating security report generation and publishing into platforms such asDependency-TrackandDefectDojo.

You will work closely with engineering, DevOps, and security stakeholders to ensure scalable, repeatable, and measurable security practices are implemented through CI/CD pipelines, while continuously improving technical documentation and onboarding guidance for teams adopting these capabilities.

Key Responsibilities

• Integrate and operationalize security tooling within MSD projects, including:

• SBOM generationand validation

• Secret scanning

• SAST(Static Application Security Testing)

• Improve thequantity (coverage)andqualityof generated SBOMs by defining standards, validation gates, and measurable KPIs (e.g., completeness, dependency accuracy, license metadata, component version resolution).

• Design and maintainCI/CD automationto generate security reports and automatically publish results to:

• Dependency-Track(SBOM ingestion / component risk analysis)

• DefectDojo(centralized vulnerability management / reporting)

• Build and maintain “security as code” patterns (pipeline templates, reusable scripts, standardized configs) to enable broad adoption across multiple repositories/teams.

• Establish secure and scalable practices for credential handling in pipelines (least privilege, secret management patterns, rotation support).

• Create, maintain, and continuously improve documentation (runbooks, onboarding guides, troubleshooting, reference architecture) to support platform adoption.

• Provide operational support for security tooling integrations, including triage of pipeline failures,reportingestion issues, and tooling upgrades.

• Contribute to continuous improvement of DevSecOps strategy, governance, and compliance alignment through automation and measurable outcomes.

Required Skills

• 6–10 years of experiencein DevOps / DevSecOps / Security Engineering / Platform Engineering roles with strong CI/CD ownership.

• Strong hands-on experience integrating security tools into CI/CD pipelines (e.g., Jenkins, GitHub Actions, GitLab CI).

• Practical expertise in:

• SBOM generation and management(e.g.,CycloneDX, dependency discovery, artifact association)

• Secret scanningintegrations and tuning

• SASTintegration, configuration, and triage workflows

• Experience automating generation, transformation, and publishing of security results (APIs, JSON handling, pipelines-as-code, scripting).

• Experience integrating with or operating vulnerability/SBOM platforms such asDependency-TrackandDefectDojo(or equivalent tools).

• Strong scripting skills (Python, PowerShell, Bash, etc.) for automation and tooling glue.

• Strong troubleshooting skills across build systems, SCM workflows, containers/artifacts, and security tooling outputs.

• Ability to write clear technical documentation and drive adoption across teams.

Desirable Skills

• Experience improving SBOMquality metricsand implementing policy gates (completeness checks, schema validation, build provenance, license metadata enrichment).

• Experience with container security and artifact scanning (images, binaries, registries), plus SBOM provenance linkage.

• Knowledge of secure software supply chain practices (SLSA concepts, signing/attestation, provenance, dependency pinning).

• Experience working in regulated or security-focused environments with strong auditability requirements.

• Exposure to internal developer platform patterns (golden pipelines, reusable actions, templates, centralized governance).

Top of Form

Bottom of Form