SENIOR DEVSECOPS ENGINEER

SO, WHAT’S THE STORY?

The DTC team consists of agile squads delivering Dr. Martens’ global digital commerce experience. We have adopted a customer\-centric strategy and use modern engineering practices to serve our customers in a manner that is authentic with the brand values.

The DevSecOps Engineer will be a core member of the Brand Experience team, enabling reliable, secure and compliant delivery of our Next.js (React) storefront with a Backend\-for\-Frontend (BFF) pattern hosted on AWS. The team operates a “You Build It, You Run It” model where security is engineered in — not bolted on.

This role focuses on embedding security across the entire software delivery lifecycle: secure cloud foundations, hardened pipelines, automated threat and vulnerability management, identity and secrets governance, runtime protection, and audit\-ready compliance — so product teams ship faster, with confidence, while meeting global performance, privacy and regulatory expectations in a digital commerce environment.

THE GIG

As the DevSecOps Engineer, you will

1\. **1\) AWS Cloud \& Platform Security**

• Design and operate secure\-by\-default AWS foundations for Next.js and BFF workloads, including VPC design, segmentation, edge/CDN protections, and resource\-level controls aligned to least privilege.
• Own Infrastructure as Code (IaC) security standards using Terraform and/or CloudFormation, embedding policy\-as\-code (e.g., Checkov, tfsec, OPA/Conftest) and reusable hardened modules.
• Define and enforce baselines for IAM, KMS, networking, logging, and account/landing\-zone guardrails (e.g., AWS Config, Security Hub, GuardDuty, SCPs).

2\. **2\) Secure CI/CD \& Software Supply Chain**

• Build and harden CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins, AWS\-native tooling) with integrated SAST, DAST, SCA, IaC scanning, container image scanning, and secrets detection.
• Implement software supply chain controls: signed commits, artifact signing, SBOM generation, dependency provenance, and protected release paths.
• Enable progressive delivery, zero/low\-downtime deployments, and safe rollback patterns without compromising security gates.

3\. **3\) Threat \& Vulnerability Management**

• Operate continuous vulnerability discovery across cloud, container, application and dependency layers; drive risk\-based prioritisation and remediation SLAs.
• Lead threat modelling and secure design reviews for new features, partnering with engineering and architecture to identify and mitigate risks early.
• Define and operate web application protections (WAF, bot mitigation, rate limiting) for storefront and BFF endpoints.

4\. **4\) Identity, Secrets \& Data Protection**

• Own secrets management and rotation (e.g., AWS Secrets Manager, Parameter Store, HashiCorp Vault), eliminating hard\-coded credentials across services and pipelines.
• Implement encryption in transit and at rest, certificate lifecycle management, and key governance using KMS.
• Govern human and workload identity: federation, OIDC for pipelines, role\-assumption patterns, and just\-in\-time access.

5\. **5\) Compliance, Risk \& Governance**

• Operationalise compliance for digital commerce: GDPR\-aligned data handling, PCI\-DSS scope reduction, and customer data protection through automation and guardrails.
• Automate evidence capture, control validation, and audit\-ready reporting; partner with InfoSec, Legal and Privacy stakeholders.
• Maintain security policies, exception management, and risk registers relevant to the DTC platform.

6\. **6\) Observability, Detection \& Incident Response**

• Build security observability: centralised logging, security telemetry, anomaly detection, and alerting using CloudWatch/Datadog/SIEM (or equivalent).
• Participate in on\-call rotation; lead security incident triage, coordinate response, and deliver high\-quality RCAs with prevention actions.
• Define SLIs/SLOs for security\-relevant signals (e.g., mean time to detect/respond, patch latency, control coverage).

7\. **7\) Developer Enablement \& Security Culture**

• Provide self\-service security tooling, golden paths, and pre\-approved patterns so engineers can move fast safely.
• Produce clear runbooks, playbooks, secure coding guidance and threat\-modelling templates to reduce operational and cognitive load on engineers.
• Champion a security\-first culture through coaching, lightweight reviews, and visible metrics.

THE STUFF THAT SETS YOU APART

• *Must\-have Experience \& Skills**

• Strong hands\-on experience securing and operating production workloads on AWS.
• Proven experience embedding security into IaC (Terraform and/or CloudFormation), including policy\-as\-code and modular hardened patterns.
• Solid background designing and maintaining secure CI/CD pipelines with integrated SAST, DAST, SCA, IaC and container scanning.
• Experience with vulnerability management, threat modelling, and risk\-based remediation across cloud, application and dependency layers.
• Working knowledge of web application security (OWASP Top 10, API security, WAF, bot/rate\-limit controls).
• Strong operational discipline: incident response, RCA, change management, and runbook\-driven operations.
• Ability to collaborate effectively with cross\-functional product teams and communicate security risk in clear, actionable terms.

• *Technical Skills (Expected)**

• AWS security fundamentals: IAM, KMS, VPC, Security Hub, GuardDuty, Config, CloudTrail, WAF/Shield.
• Containers and/or serverless security (ECS/EKS/Lambda), image hardening, and runtime protection concepts.
• Secrets management (AWS Secrets Manager, Parameter Store, Vault) and certificate lifecycle management.
• Security tooling across the SDLC: SAST/DAST/SCA, IaC scanners (Checkov/tfsec), container scanners (Trivy/Grype), secrets scanners.
• Observability and SIEM concepts (CloudWatch, Datadog, OpenTelemetry, structured logging, log/event correlation).
• Scripting and automation skills (e.g., Bash, Python, or Node.js).
• Familiarity with modern web delivery (Next.js build/deploy patterns, CDN/edge, API gateway/BFF considerations) and their security implications.

• *Soft Skills (What sets you apart)**

• **Ownership:** You take accountability for security, reliability, delivery outcomes and continuous improvement.
• **Pragmatism:** You balance risk and velocity, choosing controls that protect the business without slowing teams down.
• **Problem solving:** You approach incidents and security issues with structured thinking and data.
• **Communication:** You explain complex security risks in clear, actionable terms to engineers, leadership and non\-technical stakeholders.
• **Continuous learning:** You stay current with cloud security practices, tooling, attacker techniques and regulatory standards.

• *Education**

• Bachelor’s degree in Computer Science, Information Systems, Cyber Security or a related field (or equivalent practical experience).
• Relevant certifications (e.g., AWS Security Specialty, CISSP, CCSP, CKS, OSCP, ISO 27001 Lead Implementer/Auditor) are a plus.

• *Nice to Have**

• Experience supporting global retail/e\-commerce platforms with high availability, performance and regulatory requirements.
• Experience with PCI\-DSS scoping, GDPR\-aligned data protection, and audit\-ready operational processes.
• Experience implementing distributed tracing, SLO\-based operational models and security telemetry pipelines.
• Experience enabling self\-service developer platforms (templates, golden paths, paved roads for security).
• Familiarity with Zero Trust architectures, service mesh security, and API gateway protection patterns.

We live and breathe Rebellious Self Expression at Dr. Martens, and there are 3 core values at the heart of it. They never stand alone, but work together as a balancing act of rights and responsibilities to support how we work together at DMs. **BE YOURSELF**. **ACT COURAGEOUSLY**. **SHOW YOU CARE**.

At DM your technical capability will go hand in hand with the below

• Great relationship management that delivers results through effective teamwork.
• You’ll be a proud custodian to our DM’s culture, embodying what we stand for and encouraging others to do the same.
• You’ll help build a highly engaged team – ensuring a collaborative culture and providing guidance and support to other team members.
• You will take ownership for your own development, proactively seeking out feedback to build self\-awareness.
• You will bring the outside\-in; you’ll share best practice across the team/business and encourage idea sharing as well as collaborative problem solving.
• You’ll lead the way and role model on all things DE\&I and wellbeing.