DevSecOps Engineer

Description

As aDevSecOps Engineer, you will be part of a motivated security engineering team responsible for ensuring that Qualys products are built to the highest levels of security and trust. This is a role for an engineer with 3-5 years of hands-on experience and a passion for security, supporting developers, and building trustworthy automation.

About Product Security at Qualys :

The Product Security team operates differently. Our mission is to enable continuous improvement across the lifecycle of our product portfolio, so that Qualys can ensure the highest standards of verifiable security, trust, and compliance. Put differently : we prevent issues from becoming incidents. Our function is to build a secure SDLC, uphold quality management objectives, and ensure predictable outcomes for customers, our company, and attackers. We find and resolve problems early, working in-line with development, so that we reduce friction, increase release velocity, and keep security front of mind.

Responsibilities :

Security Integration : Stay up to date with DevSecOps trends and best practices ("shift left") and collaborate with development teams to integrate security practices throughout the SDLC.

Toolchain Management : Lead the security administration of a modern enterprise DevSecOps toolchain like Coverity, Blackduck and other relevant tools. Ensure each capability operates as intended, performs as expected.

Automation : Design, implement, maintain, and continuously improve automated security testing, compliance checks across entire SDLC including CI / CD pipelines.

Security Policies : Develop, define, and test CI / CD and Build System security policies that ensure the security of Qualys products is responsive to the evolving tactics, techniques, and procedures of attackers.

Supply Chain Security : Lead efforts to harden CI / CD pipelines and builds, apply digital signing, and ensure provenance of packages. Apply policies and automation to packages from critical suppliers and OEMs to Qualys.

Collaboration : Foster a culture of collaboration between development, operations, and security teams, ensuring a shared responsibility for security.

Documentation : Create and maintain documentation for security processes, policies, and procedures. Work with leadership to drive engagement through the Security Champions program.

Qualifications :

Proven ability to learn, self-solve, grow your knowledge, skill, and ability in ways that are responsive to the needs of the business.

History of implementing, maintaining, and responding to issues with SAST, SCA, DAST, IaC, and Container security capabilities.

Experience with CI pipeline creation for implementing Secure SLDC controls in major CI agents like Jenkins, GitLab, Concourse, GitHub, etc.

Expertise in Terraform (HCL), Kubernetes, Docker, or cloud-native security administration.

Skilled in assessing and improving pipeline workflow, scan optimizations, and feedback loops.

Hands-on experience with scripting languages (e.g. Bash, groovy, Python) for automation.

Proven ability to write scalable Ansible and Terraform scripts for security configurations.

Bonus Points :

You understand that DevOps is both a craft and a culture.

You work well across teams, across time zones.

You are a secret, or not so secret, penetration tester.