Cloud Security Engineer - DevSecOps

DevSecOps Engineers at NS8 have a dual responsibility to uphold and create security standards across all of our environments as well as collaborate with other infrastructure teams to operate a production environment. The DevSecOps teams responsibility is to shift left security, reliability, and availability matters early into the development process for the entire engineering org. Accordingly, the DevSecOps team has 3 focuses, Infrastructure, Security, and Test/QA.

We value quality work and an attitude to design and review carefully, thoughtfully, and proactively. We are looking for a DevSecOps Engineer who is passionate about high quality code and processes, automated testing, and continuous integration and monitoring and who will maintain high standards through code reviews and daily interactions.

Responsibilities:

• Implement SAST/DAST/IAST/RAST, IDS/ADS, SIEM/SOAR and other DevSecOps systems, both vendor and open-source, that deploy and run in Kubernetes clusters and in Concourse CI/CD
• Write Policy-as-Code that ensure various systems are compliant, encrypted, and follow least privilege and zero trust models
• Harden networks, containers, orchestrators, and cloud infrastructure more broadly.
• Proactively assess vulnerabilities, model threats, and write automated penetration tests
• Respond to and forensically analyze security incidents in a production environment, ensuring all compliance requirements and guidelines are followed
• Code review with an eye for correctness, standards-compliance, security holes, new attack vectors, increased attack surface, etc

Requirements:
Experience with specific technologies listed is not required. We may prefer candidates who know the specific technologies, but we are also open to input on some of these.

• Threat modeling and penetration testing experience
• IDS/ADS, SIEM/SOAR, and forensics experience. We use or are looking to implement tools like Sysdig Falco as well as vendors like Aqua Security, Twistlock/Prisma, StackRox, and/or Splunk.
• Experience responding to security incidents and following required reporting and resolution protocols
• Compliance experience, e.g. NIST, SOC-2, SOX, PCI, etc.
• Experience with vulnerability assessments, implementing SAST/DAST/IAST/RAST, and integrating security tooling into CI/CD pipelines. We are using or looking to implement tools like Anchore, Clair, Trufflehog, etc. Cloud. We are migrating to Concourse from CircleCI and some AWS CodeBuild.
• Policy-as-Code experience. We are using or looking to implement tools like Open Policy Agent (OPA), cloud-custodian, terraform-compliance, etc.
• Experience encrypting, hardening, segmenting networks. We are using or looking to implement tools like VPC, Security Groups, WAF, Kubernetes L4 & L7 NetworkPolicy, Istio AuthzPolicy, Istio mTLS, and Cilium encrypted networking.
• Experience writing production code in at least one language. Most of our engineering teams use TypeScript, with some sprinkles of Java, Python, Go, Shell, etc.

Preferred:
These experiences are not required, but we will prefer candidates who have one or more of these in addition to the requirements above.

• Infrastructure-as-Code experience. We use plenty of YAML, Helm, and some Terraform but are also looking at Pulumi and cdk8s.
• Multi-cloud experience. We primarily use AWS right now, but are starting to use GCP and potentially more in the future. We try to be cloud agnostic, but take pragmatic approaches and consider trade-offs when using managed services.
• Multi-cluster experience. We run several clusters, some of which communicate with each other, currently in a hub-and-spoke model.
• Experience implementing and influencing a DevSecOps workflow for other teams
• Experience working in an Agile/Kanban environment with GitFlow style development on a Remote / distributed team.
• Experience with any of the DevSecOps Teams other focuses: Infrastructure (linkme) and/or Test/QA (linkme)

Very Preferred:
These experiences are also not required, but we will prefer candidates who have one or more of these in addition to the requirements above.

• Experience running and securing untrusted, 3rd-party workloads.
• Experience with kernel security and hardening containers and orchestrators. Tools such as distroless, gVisor, kata-containers and SELinux, AppArmor, and seccomp more broadly as well as kube-bench and Polaris.
• Experience with PKI management