DevSecOps

Cloud Security :

• Use AWS services (Security Hub, GuardDuty, CloudTrail) and GCP tools (Security Command Center, IAM) to harden cloud environments.
• Automate infrastructure deployment with Terraform or AWS CloudFormation, ensuring security best practices.
• Scan IaC using Checkov, Terrascan, or AWS Config Rules.
• Application Security
• SAST and DAST :
• Perform SAST during development to identify vulnerabilities early.
• Conduct DAST in staging or production using tools like Burp Suite, OWASP ZAP, or AppScan.
• Android Security :
• Test Android apps using tools like MobSF, QARK, or Drozer.
• Ensure compliance with OWASP MSTG standards.
• Ethical Hacking and Ransomware Testing
• Ransomware Simulation : Simulate ransomware attacks to test recovery capabilities and data resiliency.
• Ethical Hacking : Perform ethical hacking exercises to assess system vulnerabilities and identify potential breaches
• Threat Analysis Threat Modeling :
• Conduct regular threat analysis to evaluate potential risks to cloud infrastructure and applications.
• Create and maintain threat models for applications, services, and infrastructure to identify attack vectors and mitigation strategies.
• Use tools like Microsoft Threat Modeling Tool, OWASP Threat Dragon, or custom modeling techniques to identify and prioritize risks.
• Code Scanning :
• Use Bitbucket Code Insights for integrated security scan results in PRs.
• Monitor repositories for exposed credentials or sensitive data.
• Automate IaC scanning with tools like Checkov.
• CI / CD and Code Security
• Secure Pipelines :
• Integrate Bitbucket Pipelines with AWS services for secure deployments.
• Automate security checks at each pipeline stage :
• SAST (Static Application Security Testing) : Use tools like SonarQube.
• DAST (Dynamic Application Security Testing) : Use tools like OWASP ZAP or Burp Suite.
• Dependency scanning using tools like OWASP Dependency-Check.
• Container security scanning for Docker images.
• Code Scanning :
• Use Bitbucket Code Insights for integrated security scan results in PRs.
• Monitor repositories for exposed credentials or sensitive data.
• Automate IaC scanning with tools like Checkov.
• WSO2 API Manager Responsibilities
• API Security :
• Secure APIs with OAuth2, JWT tokens, and mutual TLS.
• Implement rate-limiting and throttling to prevent abuse.
• Integrate APIs with AWS Cognito or other identity providers for authentica
• Monitoring and Incident Response
• Monitoring :
• Use AWS CloudWatch, GuardDuty, and Bitbucket monitoring features.
• Configure proactive alerts using PagerDuty or Slack for Bitbucket Pipelines.
• Incident Response :
• Automate incident response workflows using AWS Systems Manager or AWS Lambda.
• Conduct regular incident response drills.
• AWS IAM (Identity and Access Management)
• Policy Design : Create and enforce least privilege access policies.
• Audits : Conduct regular audits of IAM roles, groups, and policies to ensure compliance and security.
• Federated Identity : Configure and manage federated identity with external IdPs (e.g., Okta, Azure AD).
• Bitbucket Roles and Responsibilities
• Version Control Security :
• Manage repository access using roles (Admin, Developer, Read-Only).
• Enforce branch protection rules for PR reviews.
• Secure sensitive data using Bitbucket Pipelines environment variables.
• CI / CD Pipeline Integration :
• Integrate Bitbucket Pipelines with security tools like SonarQube or Checkmarx.
• Automate dependency vulnerability checks.
• Use pre-commit hooks for code quality and security validation.

Job Requirement

Key Tools and Technologies

Category

Tools

Compliance and Governance

GDPR, HIPAA, PCI DSS / AWS CloudTrail and Bitbucket Activity Logs

Vulnerability Assessment, Penetration Testing (VAPT), and Hardening

VAPT

Infrastructure Security

AWS services

Application Security

SAST / DAST

Ethical Hacking and Ransomware Testing

ransomware attacks / system vulnerabilities

Threat Analysis Threat Modeling

applications, services, and infrastructure

Code Scanning

SonarQube, Checkmarx, OWASP ZAP

Source Control

Bitbucket, Git

CI / CD

Bitbucket Pipelines, Jenkins, GitLab CI / CD

Cloud Security

AWS Security Hub, GuardDuty, GCP Security

API Management

WSO2 API Manager, AWS API Gateway

Skills Required

cd, Api Management, Cloud Security, SAST, Ci, Threat Analysis, Ethical Hacking