DevSecOps Engineer

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!

Prevent issues from becoming incidents.

As a DevSecOps Engineer, you will be part of a motivated security engineering team responsible for ensuring that Qualys products are built to the highest levels of security and trust. This is a senior role for an engineer with a passion for security, supporting developers, and building trustworthy automation.

About Product Security at Qualys

The Product Security team operates differently. Our mission is to enable continuous improvement across the lifecycle of our product portfolio, so that Qualys can ensure the highest standards of verifiable security, trust, and compliance. Our function is to build a secure SDLC, uphold quality management objectives, and ensure predictable outcomes for customers, our company, and attackers. We find and resolve problems early, working in-line with development. This allows us to reduce friction, increase release velocity, all while keeping security front of mind and at your fingertips.

Responsibilities

• Security Integration: Collaborate with development teams to integrate security practices throughout the SDLC.
• Toolchain Management: Lead the security administration of a modern enterprise DevSecOps toolchain and ensure that each capability operates as intended and performs as expected.
• Automation: Design, implement, maintain, and continuously improve automated security testing, compliance checks, and CI/CD pipelines.
• Security Policies: Develop and define CI/CD security policies that ensure the security of Qualys products is responsive to the evolving tactics, techniques, and procedures of attackers.
• Supply Chain Security: Lead efforts to harden CI/CD pipelines and builds, apply digital signing, and ensure provenance of packages. Apply policies and automation to packages from critical suppliers and OEMs to Qualys.
• Vulnerability Management: Identify, assess, and prioritize vulnerabilities in software applications, infrastructure, and dependencies. Drive remediation strategy collaboration.
• Infrastructure as Code: Ensure that provisioning and configuration management capabilities enforce continuous scanning and immutable security configurations.
• Container Security: Ensure that containerized applications, utilizing tools like Docker and Kubernetes, address key security risks through immutable security configurations.
• Collaboration: Foster a culture of collaboration between development, operations, and security teams, ensuring a shared responsibility for security.
• Documentation: Create and maintain documentation for security processes, policies, and procedures. Work with leadership to drive engagement through the Security Champions program.

Qualifications

• Experience enforcing security policies on SCM such as GitHub, Bitbucket.
• Experience with CI pipeline creation for implementing Secure SLDC controls in major CI agents like Jenkins, Concourse, GitHub, etc.
• Skilled in assessing and improving pipeline workflow, scan optimizations, and feedback loops.
• History of authoring, implementing, and maintaining SAST, SCA, Binary, IaC, and Container security policies in stand-alone as well as in CI pipeline.
• Experience in secret detection enablement in CI pipeline.
• Proven ability to write scalable Ansible and Terraform scripts for security configurations.

Bonus Points

• You understand that DevOps is both a craft and a culture.
• You work well across teams, across time zones
• Understanding of SLSA
• You enjoy making jokes about SBOMs