Lead, DevSecOps Engineer (Remote)

The role of Lead, DevSecOps Engineer is to develop, manage and execute upon security initiatives focused on Edge and Application Security. As part of Office Depot’s DevSecOps team, you’ll be responsible for integrating security into the development of a diverse set of customer-facing applications.  As a subject matter expert in this area, you’ll leverage various tooling to analyze the security posture of both systems & applications while working independently and collaboratively to apply remediations around insufficient security ratings.  Through collaboration with software development and platform engineers, you’ll pre-determine attack signatures and threat models, apply corresponding mitigation policies, protect control points within the application stack and facilitate application vulnerability scans/remediations.  You’ll also be challenged to demonstrate your automation proficiency by accelerating remediation efforts to continuously improve security response times across our variety of end-points. 

This is an opportunity to shape and strengthen our Edge Security practice.  The ideal candidates should have advanced coding skills in Java, Python, Shell and YAML, preferably with a minimum of 3-5 years of experience in all of these or similar languages. Candidates should have 3+ years’ experience in at least two of the following roles: Application Security Engineer, DevOps, Software Engineering, leveraging automation extensively to achieve key deliverables.

Primary Responsibility:

• Develop, tune, implement and support security configurations designed specifically for customer facing applications
• Web Application Security: Engineering, deployment, and operations of security policies with Akamai’s Web Application Firewall and Bot Management platform; including but not limited to creating WAF rules to mitigate threats.
• Develops automation for security implementations and workflow integration.
• Security Software Development: Scripting and Development in Python, Shell scripting and development in other languages.
• Develops advanced alerts/reports; including correlations, enrichments & dashboards that appropriately characterize web application attacks and mitigation mechanisms.
• Collaborates with key stakeholders within Security and Engineering teams; to develop specific use cases to address both business and application needs.
• Focus on professional development through our wide array of learning opportunities for continued growth within the Office Depot team

Education & Experience:

• DevSecOps Experience:
  • Scripting experience: Python, Perl, Shell, YAML, RegEx
  • Development experience: Java, Java Script
  • DevSecOps experience in maintaining and enhancing infrastructure as code with CloudFormation, Terraform, Puppet, Chef, Jenkins, ADO
  • Experience with using knowledge management and code repositories, including Github, Jira, and Confluence
  • Experience with Lambda, API Gateway
• Application Security:
  • Knowledge of SDLC processes
  • Knowledge of open source and commercial application security tools and frameworks
  • Experience with one or more of the following:
    • Imperva Web Application Firewall
    • Akamai (CDN, WAF)
    • AWS (Cloudfront, Shield)
  • Experience with Web Application Firewall; management,    policies and rule-sets
  • Experience in exploiting web apps and web services security vulnerabilities including cross-site scripting, cross-site request forgery, SQL injection, DoS attacks, XML/SOAP, and API attacks
  • Excellent understanding of OWASP Risks, Vulnerabilities and Mitigation Mechanisms
  • Well versed in system exploits (e.g. Buffer Overflows, PTH attacks, windows authentication framework etc.)
  • Excellent understanding of common network and web protocols
  • Excellent understanding of DDoS techniques and mitigation mechanisms
  • Excellent understanding of Cyber Security Operations, Incident Response processes

• Infrastructure:
  • System administration experience in a Windows and Unix environment
  • Experience working in a large enterprise environment

Technical Competencies:

• Java, Java Script
• Python, Bash, Shell, YAML
• GitHub
• Atlassian JIRA
• CI-CD (Jenkins, Ansible, etc)
• Public Cloud IaaS & PaaS services (ie. Compute / Database / / Storage)
• Ability to create standardized and customized alerting & mitigation policies
• Web Application Firewall: Imperva, Akamai, Public Cloud
• Web Application Vulnerability Scanning
• HTTP / WebSocket
• Linux/Unix basics