AWS DevSecOps Engineer

Job Description:

VITG is seeking a DevSecOps Engineer responsible for automating security integration throughout the CI/CD pipeline and the AWS cloud environment. This role will "shift security left" by taking the lead on implementing security-as-code tools, managing their usage, ensuring their proper configuration and compliance, and proactively embedding security policy into the development process. Our ideal candidate is passionate about being part of a "change," and working in a dynamic and highly collaborative environment focused on speed, stability, and security.

The DevSecOps Engineer provides hands-on expertise to integrate and maintain the security posture for corporate systems that support Federal programs, ensuring a successful program Authority To Operate (ATO). You will be responsible for developing, monitoring, and maintaining systems and procedures to safeguard internal information systems, networks, and CI/CD pipelines through automation.

Applicant Requirements:

• US citizen or must be authorized to work in the United States
• Must have lived in the USA for three years of the last five years
• Must be able to obtain a US federal gov badge and eligible for Public Trust clearance
• Must be able to pass a background check, including a drug test

Job Responsibilities:

• Develop, implement, and maintain security automation throughout the entire SDLC, integrating security into the CI/CD pipelines using Jenkins/Github and Infrastructure-as-Code (IaC) principles.
• Run and manage security scans with tools such as Snyk (SAST/SCA) and establish automated tracking and enforcement mechanisms for vulnerability remediation.
• Integrate and manage security workloads running on AWS containers and ensure container image scanning and runtime security policies are enforced.
• Design, manage, and maintain source code for AWS infrastructure in GitHub and manage automated pipelines, ensuring security checks and gates are embedded in every deployment.
• Maintain security information on JIRA/Confluence and actively participate in agile DevSecOps practices, promoting a "Secure-by-Design" culture.
• Provides hands-on support for developing, coordinating, implementing, and enforcing information systems security policies, standards, and methodologies as code.
• Maintain operational security posture for Enterprise Salesforce FISMA system by ensuring security is baked into configuration and deployment practices.
• Implement security tools, security tool usage, and policy-as-code to ensure configurations remain compliant and configured properly, all while ensuring a successful program ATO.
• Automate vulnerability/risk assessment analysis to support continuous monitoring and authorization.
• Manages changes to the system and assesses the security impact of those changes through automated compliance checks.
• Assists with the management of security aspects of the information system and performs day-to-day security operations of the system
• Evaluate security solutions to ensure they meet security requirements for processing classified information
• Performs vulnerability/risk assessment analysis to support certification and accreditation
• Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, Certification and Accreditation (C&A) packages, and System Requirements Traceability Matrices (SRTMs)

Qualifications & Skills:

• Bachelor's or Master's degree in Computer Science, Engineering, Information Technology, or a related discipline
• Minimum of 6 years related experience in Information Technology including 4 years in the DevSecOps or Application Security (AppSec) space.
• Demonstrated hands-on experience in cloud environments such as AWS Commercial and GovCloud, specifically with security automation, logging, and monitoring services (e.g., GuardDuty, Security Hub, CloudTrail).
• Expertise in CI/CD pipeline management and the integration of security tools for Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA).
• Required: Strong hands-on experience with AWS, Snyk, GitHub, JIRA, and Confluence to implement and manage the end-to-end DevSecOps toolchain.
• Demonstrated work experience with Infrastructure-as-Code (IaC) security (e.g., using Checkov or Terrascan on Terraform/CloudFormation).
• (Preferred) Experience with Salesforce Platform and tool ecosystem
• (Preferred)Salesforce or any other platform tool - Configuration/Setup of External Client Applications and Secure Communications (TLS)
• (Preferred) AppOmni - Have used it and can manage issues, perform new org additions and configurations.
• Strong background in the certification and accreditation process (ATO) and the ability to automate compliance checks against frameworks like FISMA, NIST, and FedRAMP.
• Possesses working knowledge of business security practices, current security automation tools, and policy-as-code implementation.
• Demonstrated working knowledge of vulnerability assessment and penetration testing processes, focusing on how to automate these checks.
• Experience with Government Agency Security Assessment Process in support of maintaining and/or establishing an ATO and the appropriate boundary.
• Experience with, understanding of and adherence to guidelines such as FISMA, NIST, HIPPA, and IRS Pub-1075 (Preferred)

Preferred Certifications:

• Require AWS DevOps or SysOps or equivalent Certification
• Preferably possess industry certification such as the CISSP, CEH, GIAC, etc

Job Type: Full Time

Salary: BOE

Benefits:

• 401(k) with employer contribution
• Medical/Dental/Vision insurance (option for full coverage for employee)
• Life, ST/LT insurance
• Professional development opportunities

Schedule:

• 8 hour shift
• May include minimal after hours support depending on deployment schedule

Work Type:

• Hybrid remote in Ellicott City, MD 21043
• 1 to 2 days in office weekly