DevSecOps Engineer

Position Overview

Fast growing FinTech seeking a highly motivated and technically capable DevSecOps Engineer (Application Security) to join a fast-paced FinTech team that’s building and scaling secure, cloud-native software platforms. This role sits at the convergence of DevOps, security engineering, and cloud infrastructure. You’ll take a lead role in embedding security into every stage of the SDLC from design and development to deployment and monitoring-while working side-by- side with software engineers, platform teams, SREs, and compliance stakeholders. Your focus will be on implementing proactive security controls, integrating security tools into CI/CD, driving remediation workflows, and influencing design decisions that improve our product security and operational resilience.

What You’ll Do

Secure CI/CD Pipeline Engineering

• Work on automated security checks across CI/CD pipelines, ensuring all builds and deployments meet defined security and compliance standards before they reach production.
• Integrate SAST, DAST, SCA, and container scanning tools (eg, SonarQube, Snyk, Trivy, Checkov) to detect vulnerabilities, license issues, and misconfigurations early in the SDLC.
• Build and maintain security-as-code workflows that enforce security policies, validate dependencies, and detect anomalies as part of automated delivery.
• Work closely with engineering teams to embed security tests into unit testing frameworks and define SLAs for vulnerability remediation.

Infrastructure & Application Hardening

• Work across development and platform teams to implement secure defaults in Terraform, Kubernetes manifests, Helm charts, and GitOps configurations.
• Identify and remediate common cloud infrastructure risks including overprivileged IAM roles, insecure storage buckets, open ports, unencrypted traffic, and publicly exposed services.
• Harden container environments using GKE/GCP-native security controls, including workload identity, binary authorization, and service mesh security.
• Enable secure secrets management, implementing solutions using GCP Secret Manager, HashiCorp Vault, or equivalent.

Automation, Monitoring & Incident Readiness

• Automate the generation of security reports, dashboards, and compliance evidence to support internal audits, SOC 2, PCI-DSS, and GDPR readiness.
• Implement and tune alerting and monitoring for security events, such as privilege escalations, API misuse, unauthorized access attempts, or unusual container behavior.
• Work alongside incident response teams to automate log collection, response triggers, and mitigation scripts for cloud-native security incidents.
• Build out feedback loops for post-incident learnings to improve pipeline security and configuration resilience over time.

Security Awareness, Governance & Collaboration

• Advocate for security best practices across teams, delivering developer-focused training on secure development, API security, identity best practices, and threat modeling.
• Collaborate with GRC (Governance, Risk, and Compliance) teams to map technical controls to regulatory frameworks, and document audit evidence effectively.
• Establish and track key metrics for security maturity across engineering teams including vulnerability trends, MTTR, coverage, and adoption rates of security tooling.
• Champion a shift-left security culture, partnering with stakeholders to make security accessible, visible, and embedded-not bolted on.

Who You Are

You are a DevOps-savvy security engineer with a passion for automation and hands-on problem solving. You bring a builder’s mindset and understand that the most effective security controls are those that scale seamlessly and complement engineering workflows. You enjoy working cross-functionally and have a strong appreciation for balancing risk with delivery velocity.

You’re deeply familiar with the intricacies of secure application deployment, cloud infrastructure, and compliance challenges in financial or regulated environments. You believe that infrastructure should be treated as code, that pipelines should fail fast on insecure changes, and that effective security is both visible and automated.

Essential Qualifications

• Proven experience in DevSecOps, security engineering.
• Demonstrated ability to design and manage security controls in modern CI/CD pipelines (GitLab, GitHub Actions, CircleCI, Jenkins).
• Deep understanding of modern application security practices, including SAST, DAST, SCA, IaC security, and how to triage results.
• Proficiency in Scripting or programming ( Python, Bash, Go) for writing automation tools and pipeline integrations.
• Experience with GCP cloud security features, including IAM, VPC Service Controls, workload identity, Secret Manager, and Cloud Audit Logs.
• Familiarity with Kubernetes (GKE) and containerized deployments, including image hardening, runtime security, and policy enforcement.
• Solid knowledge of security concepts such as least privilege, defense in depth, zero trust, and secure software development lifecycle (SSDLC). Comfortable reading vulnerability scan reports and working directly with developers to remediate them efficiently.
• Strong understanding of regulatory frameworks such as SOC 2, ISO 27001, PCI-DSS, and GDPR.

Nice to Have

• Hands-on experience with policy-as-code (OPA, Rego, Conftest).
• Familiarity with secrets rotation strategies and tools such as Vault, Doppler, or GCP Secret Manager.
• Certifications including GCP Professional Cloud Security Engineer, CKS, GIAC DevSecOps, CSSLP, or equivalent. Experience implementing security controls in GitOps workflows and multi-cloud setups.
• Exposure to threat modeling frameworks (STRIDE, MITRE ATT&CK, PASTA) and architectural risk assessments. Familiarity with code review processes and DevOps/SRE collaboration patterns (incident postmortems).

What You’ll Gain

• Core influence on how application and infrastructure security is implemented and scaled in a real-time, cloud-native FinTech environment.
• Opportunity to work in a remote-first, inclusive, and fast-moving culture where your voice is valued and autonomy is respected.
• Dedicated time and budget for certifications, training, and attending security conferences.
• Work alongside a highly capable team of security engineers, architects, and developers in a collaborative, low-ego environment.
• Direct contribution to protecting millions of users and sensitive data through scalable, intelligent security solutions.