Senior DevSecOps Engineer

Competitive

### **SO,WHAT’S THE STORY?**

The DTC team consists of agile squads delivering Dr. Martens’ global digital commerce experience. We have adopted a customer\-centric strategy and use modern engineering practices to serve our customers in a manner that is authentic with the brand values.

The DevSecOps Engineer will be a core member of the Brand Experience team,enabling reliable,secure and compliant delivery of our Next.js (React) storefront with a Backend\-for\-Frontend (BFF) pattern hosted on AWS. The team operates a “You Build It,You Run It” model where security is engineered in — not bolted on.

This role focuses on embedding security across the entire software delivery lifecycle:secure cloud foundations,hardened pipelines,automated threat and vulnerability management,identity and secrets governance,runtime protection,and audit\-ready compliance — so product teams ship faster,with confidence,while meeting global performance,privacy and regulatory expectations in a digital commerce environment.

### **THE GIG**

As the DevSecOps Engineer,you will

1\. **1\) AWS Cloud \& Platform Security**

• Design and operate secure\-by\-default AWS foundations for Next.js and BFF workloads,including VPC design,segmentation,edge/CDN protections,and resource\-level controls aligned to least privilege.
• Own Infrastructure as Code (IaC) security standards using Terraform and/or CloudFormation,embedding policy\-as\-code (e.g.,Checkov,tfsec,OPA/Conftest) and reusable hardened modules.
• Define and enforce baselines for IAM,KMS,networking,logging,and account/landing\-zone guardrails (e.g.,AWS Config,Security Hub,GuardDuty,SCPs).

2\. **2\) Secure CI/CD \& Software Supply Chain**

• Build and harden CI/CD pipelines (e.g.,GitHub Actions,GitLab CI,Jenkins,AWS\-native tooling) with integrated SAST,DAST,SCA,IaC scanning,container image scanning,and secrets detection.
• Implement software supply chain controls:signed commits,artifact signing,SBOM generation,dependency provenance,and protected release paths.
• Enable progressive delivery,zero/low\-downtime deployments,and safe rollback patterns without compromising security gates.

3\. **3\) Threat \& Vulnerability Management**

• Operate continuous vulnerability discovery across cloud,container,application and dependency layers; drive risk\-based prioritisation and remediation SLAs.
• Lead threat modelling and secure design reviews for new features,partnering with engineering and architecture to identify and mitigate risks early.
• Define and operate web application protections (WAF,bot mitigation,rate limiting) for storefront and BFF endpoints.

4\. **4\) Identity,Secrets \& Data Protection**

• Own secrets management and rotation (e.g.,AWS Secrets Manager,Parameter Store,HashiCorp Vault),eliminating hard\-coded credentials across services and pipelines.
• Implement encryption in transit and at rest,certificate lifecycle management,and key governance using KMS.
• Govern human and workload identity:federation,OIDC for pipelines,role\-assumption patterns,and just\-in\-time access.

5\. **5\) Compliance,Risk \& Governance**

• Operationalise compliance for digital commerce:GDPR\-aligned data handling,PCI\-DSS scope reduction,and customer data protection through automation and guardrails.
• Automate evidence capture,control validation,and audit\-ready reporting; partner with InfoSec,Legal and Privacy stakeholders.
• Maintain security policies,exception management,and risk registers relevant to the DTC platform.

6\. **6\) Observability,Detection \& Incident Response**

• Build security observability:centralised logging,security telemetry,anomaly detection,and alerting using CloudWatch/Datadog/SIEM (or equivalent).
• Participate in on\-call rotation; lead security incident triage,coordinate response,and deliver high\-quality RCAs with prevention actions.
• Define SLIs/SLOs for security\-relevant signals (e.g.,mean time to detect/respond,patch latency,control coverage).

7\. **7\) Developer Enablement \& Security Culture**

• Provide self\-service security tooling,golden paths,and pre\-approved patterns so engineers can move fast safely.
• Produce clear runbooks,playbooks,secure coding guidance and threat\-modelling templates to reduce operational and cognitive load on engineers.
• Champion a security\-first culture through coaching,lightweight reviews,and visible metrics.

### **THE STUFF THAT SETS YOU APART**

• *Must\-have Experience \& Skills**

• Strong hands\-on experience securing and operating production workloads on AWS.
• Proven experience embedding security into IaC (Terraform and/or CloudFormation),including policy\-as\-code and modular hardened patterns.
• Solid background designing and maintaining secure CI/CD pipelines with integrated SAST,DAST,SCA,IaC and container scanning.
• Experience with vulnerability management,threat modelling,and risk\-based remediation across cloud,application and dependency layers.
• Working knowledge of web application security (OWASP Top 10,API security,WAF,bot/rate\-limit controls).
• Strong operational discipline:incident response,RCA,change management,and runbook\-driven operations.
• Ability to collaborate effectively with cross\-functional product teams and communicate security risk in clear,actionable terms.

• *Technical Skills (Expected)**

• AWS security fundamentals:IAM,KMS,VPC,Security Hub,GuardDuty,Config,CloudTrail,WAF/Shield.
• Containers and/or serverless security (ECS/EKS/Lambda),image hardening,and runtime protection concepts.
• Secrets management (AWS Secrets Manager,Parameter Store,Vault) and certificate lifecycle management.
• Security tooling across the SDLC:SAST/DAST/SCA,IaC scanners (Checkov/tfsec),container scanners (Trivy/Grype),secrets scanners.
• Observability and SIEM concepts (CloudWatch,Datadog,OpenTelemetry,structured logging,log/event correlation).
• Scripting and automation skills (e.g.,Bash,Python,or Node.js).
• Familiarity with modern web delivery (Next.js build/deploy patterns,CDN/edge,API gateway/BFF considerations) and their security implications.

• *Soft Skills (What sets you apart)**

• **Ownership:**You take accountability for security,reliability,delivery outcomes and continuous improvement.
• **Pragmatism:**You balance risk and velocity,choosing controls that protect the business without slowing teams down.
• **Problem solving:**You approach incidents and security issues with structured thinking and data.
• **Communication:**You explain complex security risks in clear,actionable terms to engineers,leadership and non\-technical stakeholders.
• **Continuous learning:**You stay current with cloud security practices,tooling,attacker techniques and regulatory standards.

• *Education**

• Bachelor’s degree in Computer Science,Information Systems,Cyber Security or a related field (or equivalent practical experience).
• Relevant certifications (e.g.,AWS Security Specialty,CISSP,CCSP,CKS,OSCP,ISO 27001 Lead Implementer/Auditor) are a plus.

• *Nice to Have**

• Experience supporting global retail/e\-commerce platforms with high availability,performance and regulatory requirements.
• Experience with PCI\-DSS scoping,GDPR\-aligned data protection,and audit\-ready operational processes.
• Experience implementing distributed tracing,SLO\-based operational models and security telemetry pipelines.
• Experience enabling self\-service developer platforms (templates,golden paths,paved roads for security).
• Familiarity with Zero Trust architectures,service mesh security,and API gateway protection patterns.

We live and breathe Rebellious Self Expression at Dr. Martens,and there are 3 core values at the heart of it. They never stand alone,but work together as a balancing act of rights and responsibilities to support how we work together at DMs. **BE YOURSELF**. **ACT COURAGEOUSLY**. **SHOW YOU CARE**.

At DM your technical capability will go hand in hand with the below

• Great relationship management that delivers results through effective teamwork.
• You’ll be a proud custodian to our DM’s culture,embodying what we stand for and encouraging others to do the same.
• You’ll help build a highly engaged team – ensuring a collaborative culture and providing guidance and support to other team members.
• You will take ownership for your own development,proactively seeking out feedback to build self\-awareness.
• You will bring the outside\-in; you’ll share best practice across the team/business and encourage idea sharing as well as collaborative problem solving.
• You’ll lead the way and role model on all things DE\&I and wellbeing.