Engineer III, Software

• *Work Schedule**

First Shift (Days)**Environmental Conditions**

Office**Job Description**

• *Job Title**

• *Senior DevSecOps Engineer – SBOM, SAST \& CI/CD Security Automation (6–10 years)**

• *Job Description**

We are seeking a **Senior DevSecOps Engineer (6–10 years of experience)** to lead security automation and tooling integration across **MSD projects**. This role will focus on embedding security controls into the software delivery lifecycles specifically **SBOM generation and quality improvement, secret scanning, and SAST integration**—and automating security report generation and publishing into platforms such as **Dependency\-Track** and **DefectDojo**.

You will work closely with engineering, DevOps, and security stakeholders to ensure scalable, repeatable, and measurable security practices are implemented through CI/CD pipelines, while continuously improving technical documentation and onboarding guidance for teams adopting these capabilities.

• *Key Responsibilities**

• Integrate and operationalize security tooling within MSD projects, including:
• **SBOM generation** and validation
• **Secret scanning**
• **SAST** (Static Application Security Testing)
• Improve the **quantity (coverage)** and **quality** of generated SBOMs by defining standards, validation gates, and measurable KPIs (e.g., completeness, dependency accuracy, license metadata, component version resolution).
• Design and maintain **CI/CD automation** to generate security reports and automatically publish results to:
• **Dependency\-Track** (SBOM ingestion / component risk analysis)
• **DefectDojo** (centralized vulnerability management / reporting)
• Build and maintain “security as code” patterns (pipeline templates, reusable scripts, standardized configs) to enable broad adoption across multiple repositories/teams.
• Establish secure and scalable practices for credential handling in pipelines (least privilege, secret management patterns, rotation support).
• Create, maintain, and continuously improve documentation (runbooks, onboarding guides, troubleshooting, reference architecture) to support platform adoption.

• **6–10 years of experience** in DevOps / DevSecOps / Security Engineering / Platform Engineering roles with strong CI/CD ownership.
• Strong hands\-on experience integrating security tools into CI/CD pipelines (e.g., Jenkins, GitHub Actions, GitLab CI).
• Practical expertise in:
• **SBOM generation and management** (e.g., CycloneDX, dependency discovery, artifact association)
• **Secret scanning** integrations and tuning
• **SAST** integration, configuration, and triage workflows
• Experience automating generation, transformation, and publishing of security results (APIs, JSON handling, pipelines\-as\-code, scripting).
• Experience integrating with or operating vulnerability/SBOM platforms such as **Dependency\-Track** and **DefectDojo** (or equivalent tools).
• Strong scripting skills (Python, PowerShell, Bash, etc.) for automation and tooling glue.
• Strong troubleshooting skills across build systems, SCM workflows, containers/artifacts, and security tooling outputs.
• Ability to write clear technical documentation and drive adoption across teams.

• Experience improving SBOM **quality metrics** and implementing policy gates (completeness checks, schema validation, build provenance, license metadata enrichment).
• Experience with container security and artifact scanning (images, binaries, registries), plus SBOM provenance linkage.
• Knowledge of secure software supply chain practices (SLSA concepts, signing/attestation, provenance, dependency pinning).
• Experience working in regulated or security\-focused environments with strong auditability requirements.
• Exposure to internal developer platform patterns (golden pipelines, reusable actions, templates, centralized governance).

Top of Form

Bottom of Form