Staff Engineer, Software

Thermo Fisher Scientific -
Andhra Pradesh

Apply Now

Job details

Full-time
4 days ago

Qualifications

Jira
CI/CD
Computer Science
Software Engineering
Kubernetes
Kanban
DevOps
Bill of materials
Supply chain
Git
English
RBAC
Analysis skills
Docker
Bachelor's degree
Confluence
Continuous integration
Scripting
Scrum
Software development
Unity
Agile
VMWare
Metadata
Cybersecurity
Jenkins
GitLab
Communication skills
Python
PowerShell
SDLC

Full job description

Work Schedule

First Shift (Days)

Environmental Conditions

Office

Job Description

Thermo Fisher Scientific Inc. (NYSE: TMO) is the world leader in serving science, with revenues of more than $20 billion and approximately 65,000 employees globally. Our mission is to enable our customers to make the world healthier, cleaner and safer. We help our customers accelerate life sciences research, solve complex analytical challenges, improve patient diagnostics, deliver medicines to market and increase laboratory productivity. Through our premier brands – Thermo Scientific, Applied Biosystems, Invitrogen, Fisher Scientific and Unity Lab Services – we offer an unmatched combination of innovative technologies, purchasing convenience and comprehensive services

The Position

We are seeking a DevSecOps Engineer to integrate security practices into our DevOps processes, ensuring that applications and infrastructure are secure by design. This role focuses on embedding security controls across the CI/CD pipeline, enabling secure software delivery while maintaining development velocity.

You will work closely with development, QA, DevOps, and security teams to identify risks, implement automated security checks, and enforce best practices across the software development lifecycle. The role requires a proactive mindset to continuously improve security posture in complex, distributed environments

Key responsibilities include, but are not exclusively:

Design, implement, and maintain secure CI/CD pipelines using Jenkins and GitLab, ensuring integration of security controls throughout the software delivery lifecycle

Implement and manage automated SBOM generation (CycloneDX, SPDX) within CI/CD pipelines, ensuring accuracy and completeness of metadata

Integrate SBOM data with vulnerability management platforms (e.g., Dependency-Track) to enable continuous monitoring of third-party risks

Support compliance with cybersecurity regulations and standards (including Executive Order 14028), translating requirements into enforceable technical controls and preparation for EU CRA.

Implement and manage vulnerability tracking and remediation workflows using tools such as DefectDojo

Establish and enforce software supply chain security practices, including governance of third-party and open-source components

Manage and maintain artifact repositories, ensuring proper classification of internal vs. external packages and secure usage of package sources (NuGet, Conan, Sky)

Implement and enforce software license compliance, including automated license scanning and validation using SPDX identifiers

Design and maintain secure, isolated, or controlled build environments to ensure integrity of the software build process

Integrate static code analysis and security scanning tools (e.g.,SonarQube, TICS and CodeQL) into CI/CD pipelines

Develop and maintain automation scripts (Python, PowerShell) to support security processes and pipeline efficiency

Secure containerized environments (Docker, Kubernetes), including image hardening, access control (RBAC), and vulnerability scanning

Collaborate with infrastructure teams to ensure VMware environments are hardened and aligned with security best practices

Apply Secure Software Development Lifecycle (SSDLC) practices across development teams, embedding security early in the process

Define, implement, and enforce security policies, standards, and compliance controls across development and DevOps workflows

Collaborate closely with development, QA, and DevOps teams to remediate vulnerabilities and improve secure coding practices

Support audit and compliance activities by maintaining documentation, traceability, and evidence in tools such as Confluence

Proven experience in supporting teams performing OWASP threat modeling

Participate in Agile processes using Jira, contributing to sprint planning, backlog refinement, and continuous improvement initiatives

Work within Scrum, Kanban, and scaled Agile (ART) environments, collaborating with cross-ART teams to align on shared security practices

Perform risk assessments and proactively identify security gaps, proposing and implementing mitigation strategies

Continuously improve DevSecOps tooling, processes, and practices to enhance security posture without impacting delivery speed

Requirements:

The ideal candidate combines strong DevOps expertise with deep knowledge of application security,

software supply chain security, and regulatory compliance, and thrives in complex, highly regulated environments.

University degree in Computer Science, Cybersecurity, Software Engineering, or a related technical discipline

8+ years of Strong experience designing, implementing, and maintaining secure CI/CD pipelines using Jenkins and GitLab

Mandatory hands-on experience implementing Software Bill of Materials (SBOM) generation within CI/CD pipelines (CycloneDX, SPDX formats), including metadata collection and validation

Experience integrating SBOMs with vulnerability management platforms such as Dependency-Track or equivalent tools

Hands-on experience with vulnerability management and tracking tools (e.g., DefectDojo or similar), including remediation workflows

Strong understanding of software supply chain security, including governance of third-party and open-source components

Experience managing artifact repositories and package ecosystems, including NuGet, Conan, and internal repositories (e.g., Sky), with clear understanding of internal vs. external package classification

Strong knowledge of software license management, SPDX license identifiers, and automated license compliance enforcement

Experience integrating static code analysis and security scanning tools (e.g., SonarQube, TICS, CodeQL) into CI/CD pipelines

Hands-on experience designing and maintaining secure, isolated, or controlled build environments

Strong scripting and automation skills using Python and/or PowerShell

Experience securing containerized environments using Docker and Kubernetes, including image hardening, RBAC, and vulnerability scanning

Strong understanding of VMware infrastructure security and system hardening best practices

Solid understanding and practical application of Secure Software Development Lifecycle (SSDLC) principles

Experience defining, implementing, and enforcing security policies, standards, and compliance controls across development and DevOps processes

Experience supporting compliance with cybersecurity regulations and standards (e.g., Executive Order 14028, EU Cyber Resilience Act) and translating them into technical implementations

Familiarity with OWASP practices, including supporting or contributing to threat modeling activities

Experience working in audit-driven and regulated environments, with ability to produce documentation, traceability, and compliance evidence (e.g., via Confluence)

Experience working in Agile environments using Jira, including Scrum, Kanban, and scaled Agile frameworks (ART)

Strong analytical, risk assessment, and problem-solving skills, with the ability to identify vulnerabilities and propose effective mitigation strategies

Proven ability to collaborate effectively with development, QA, DevOps, and infrastructure teams to drive secure development practices

Strong communication skills, with the ability to translate security and regulatory requirements into actionable technical solutions

Fluent in English (B2 level or higher)

Apply Now

Jobseeker tools

Employer Tools

Browse

Stay Connected