Senior DevSecOps Engineer

Posted Jul 28

The Senior DevSecOps Engineer Promotes flexible collaboration and communication between development, security, compliance, testing, monitoring and production teams. Optimizes the release process by leading teams to identify gaps and eliminate barriers to enable increased frequency of accurate code deployment.

Responsibilities

In this role you will be on a team of security engineers performing triage, production release analysis, hunting bugs, driving DevSecOps adoption, delivering on our “everything is code” approach to product development. Your focus will be shift left DevSecOps opportunities, CI/CD Pipeline scanning, Open-source and software composition analysis, release validation and analysis and engineering automation.

We are looking for someone with at least 3 years of application security and or offensive security experience

You are a great fit if the following are true:

  • You can handle complicated bugs and complex application security issues.
  • You love developers, teaching, learning, and research.
  • You have a home lab and constantly learning.
  • You are passionate about customer experience.
  • You love breaking and building, can code and hack.
  • Know the OWASP top 10 and understand defensive coding techniques.
  • Have experience with Git, Gitflow, SAST, DAST, SCA, IAST tooling.
  • Architects and Red Teamers don’t scare you.
  • You love open source, community and collaboration.
  • Have deep experience breaking web applications, APIs, mobile apps and anything that compiles.
  • Can distill complicated issues and communicate to senior leaders the why it’s important and how it works.
  • You have a strong scripting and automation background (you can write in one or more of the following python, JavaScript/TypeScript or PowerShell) Python preferred.
  • Azure Devops or Github automation, or similar experience with CI/CD tooling.
  • Proficiency with managing supporting & deploying Checkmarx, AppScan, Veracode, Rapid7, Fortify or similar tools.

Responsibilities:

  • Partner with our Security Advocate Community, Compliance and governance, platform teams, DevSecOps and DevOps teams.
  • Improve and expand application security quality across our entire portfolio of applications.
  • Serve as a release gate, ensuring legacy and non CI/CD enabled teams are scanning code and free of vulnearbilities prior to production release.
  • Mentor others, you love to share and support, serve as expert for escalated analysis.
  • Contributes to inner source and demonstrates engineering community engagement.
  • Help developers solve application security defects.
  • Contribute to and execute on our secure software development strategy for the enterprise.
  • Improve and expand application security quality across our entire portfolio of applications.

Required:

  • At least 3 years+ of experience with Application Security, including familiarity with the leading toolsets supporting Application Security (dynamic and static). Experience with Checkmarx, AppScan, Burp Suite, Contrast, JFrog Xray, NowSecure, Blackduck, WhiteSource, Fortify or similar tooling.
  • Strong application security experience across a variety of technologies and languages.
  • Deep experience in static code analysis and third-party software composition analysis.
  • Deep experience with BurpSuite and breaking web applications.
  • Excellent communication skills with the ability to influence others
  • Analytical and problem solving skills
  • Strong scripting skills, can quickly find common issues across large code bases or IP ranges.
  • Contributes to the broader security or open source community.
  • Must be passionate about contributing to an organization focused on continuously improving consumer experiences
  • Must be passionate about developer experience, privacy, security, quality and product delivery
  • Can demonstrate exploitation and break applications with ease, is creative and thinks evil by default.

Preferred:

  • Prior experience leading an application security program, with 1000+ stakeholders and development teams in the portfolio
  • Prior experience managing, supporting and deploying SAST/DAST and Open Source Analysis programs and tools across an organization
  • Cloud experience or experience with Docker or similar container platforms.
  • Working knowledge of Linux and Windows operating systems
  • Reverse engineering, bug hunting, vulnerability assessment, or exploit development experience.
  • Strong Experience with one of the following: C#, JavaScript, Java, Python, ruby or similar.
  • You understand design, delivery, and ownership along with modern SDLC practices.
  • Knowledge of common information security management frameworks, including but not limited to:

ISO 27001/27002, ITIL, COBIT, NIST, BSIMM.

  • Professional security certification, such as OSCP, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials a plus but not required.
  • Experience with Service Now Asset Management is a plus

Additional Information:

Humana and its subsidiaries require vaccinated associates who work outside of their home to submit proof of vaccination, including COVID-19 boosters. Associates who remain unvaccinated must either undergo weekly negative COVID testing OR wear a mask at all times while in a Humana facility or while working in the field.

Work-At-Home Requirements

  • WAH requirements: Must have the ability to provide a high speed DSL or cable modem for a home office. Associates or contractors who live and work from home in the state of California will be provided payment for their internet expense.
  • A minimum standard speed for optimal performance of 25x10 (25mpbs download x 10mpbs upload) is required.
  • Satellite and Wireless Internet service is NOT allowed for this role.
  • A dedicated space lacking ongoing interruptions to protect member PHI / HIPAA information

#LI-WM1

#LI-Remote

Scheduled Weekly Hours

40