SENIOR DEVSECOPS ENGINEER

Dr Martens -
Bengaluru, Karnataka

Apply Now

Job details

Full-time
1 day ago

Qualifications

BCS
CI/CD
Node.js
Computer Science
PCI
React
Encryption
CISSP
Git
Information Systems
CCSP
Information security
Bash (Unix shell)
AWS
Bachelor's degree
JavaScript
Terraform
Continuous integration
Scripting
GitHub
APIs
Agile
ISO 27001
B.E.
AWS Certified Security – Specialty
Jenkins
GitLab
Python
High availability
Identity & access management
SDLC

Full job description

SO, WHAT’S THE STORY?

The DTC team consists of agile squads delivering Dr. Martens’ global digital commerce experience. We have adopted a customer-centric strategy and use modern engineering practices to serve our customers in a manner that is authentic with the brand values.

The DevSecOps Engineer will be a core member of the Brand Experience team, enabling reliable, secure and compliant delivery of our Next.js (React) storefront with a Backend-for-Frontend (BFF) pattern hosted on AWS. The team operates a “You Build It, You Run It” model where security is engineered in — not bolted on.

This role focuses on embedding security across the entire software delivery lifecycle: secure cloud foundations, hardened pipelines, automated threat and vulnerability management, identity and secrets governance, runtime protection, and audit-ready compliance — so product teams ship faster, with confidence, while meeting global performance, privacy and regulatory expectations in a digital commerce environment.

THE GIG

As the DevSecOps Engineer, you will:

1. 1) AWS Cloud & Platform Security

Design and operate secure-by-default AWS foundations for Next.js and BFF workloads, including VPC design, segmentation, edge/CDN protections, and resource-level controls aligned to least privilege.
Own Infrastructure as Code (IaC) security standards using Terraform and/or CloudFormation, embedding policy-as-code (e.g., Checkov, tfsec, OPA/Conftest) and reusable hardened modules.
Define and enforce baselines for IAM, KMS, networking, logging, and account/landing-zone guardrails (e.g., AWS Config, Security Hub, GuardDuty, SCPs).

2. 2) Secure CI/CD & Software Supply Chain

Build and harden CI/CD pipelines (e.g., GitHub Actions, GitLab CI, Jenkins, AWS-native tooling) with integrated SAST, DAST, SCA, IaC scanning, container image scanning, and secrets detection.
Implement software supply chain controls: signed commits, artifact signing, SBOM generation, dependency provenance, and protected release paths.
Enable progressive delivery, zero/low-downtime deployments, and safe rollback patterns without compromising security gates.

3. 3) Threat & Vulnerability Management

Operate continuous vulnerability discovery across cloud, container, application and dependency layers; drive risk-based prioritisation and remediation SLAs.
Lead threat modelling and secure design reviews for new features, partnering with engineering and architecture to identify and mitigate risks early.
Define and operate web application protections (WAF, bot mitigation, rate limiting) for storefront and BFF endpoints.

4. 4) Identity, Secrets & Data Protection

Own secrets management and rotation (e.g., AWS Secrets Manager, Parameter Store, HashiCorp Vault), eliminating hard-coded credentials across services and pipelines.
Implement encryption in transit and at rest, certificate lifecycle management, and key governance using KMS.
Govern human and workload identity: federation, OIDC for pipelines, role-assumption patterns, and just-in-time access.

5. 5) Compliance, Risk & Governance

Operationalise compliance for digital commerce: GDPR-aligned data handling, PCI-DSS scope reduction, and customer data protection through automation and guardrails.
Automate evidence capture, control validation, and audit-ready reporting; partner with InfoSec, Legal and Privacy stakeholders.
Maintain security policies, exception management, and risk registers relevant to the DTC platform.

6. 6) Observability, Detection & Incident Response

Build security observability: centralised logging, security telemetry, anomaly detection, and alerting using CloudWatch/Datadog/SIEM (or equivalent).
Participate in on-call rotation; lead security incident triage, coordinate response, and deliver high-quality RCAs with prevention actions.
Define SLIs/SLOs for security-relevant signals (e.g., mean time to detect/respond, patch latency, control coverage).

7. 7) Developer Enablement & Security Culture

Provide self-service security tooling, golden paths, and pre-approved patterns so engineers can move fast safely.
Produce clear runbooks, playbooks, secure coding guidance and threat-modelling templates to reduce operational and cognitive load on engineers.
Champion a security-first culture through coaching, lightweight reviews, and visible metrics.

THE STUFF THAT SETS YOU APART

Must-have Experience & Skills

Strong hands-on experience securing and operating production workloads on AWS.
Proven experience embedding security into IaC (Terraform and/or CloudFormation), including policy-as-code and modular hardened patterns.
Solid background designing and maintaining secure CI/CD pipelines with integrated SAST, DAST, SCA, IaC and container scanning.
Experience with vulnerability management, threat modelling, and risk-based remediation across cloud, application and dependency layers.
Working knowledge of web application security (OWASP Top 10, API security, WAF, bot/rate-limit controls).
Strong operational discipline: incident response, RCA, change management, and runbook-driven operations.
Ability to collaborate effectively with cross-functional product teams and communicate security risk in clear, actionable terms.

Technical Skills (Expected)

AWS security fundamentals: IAM, KMS, VPC, Security Hub, GuardDuty, Config, CloudTrail, WAF/Shield.
Containers and/or serverless security (ECS/EKS/Lambda), image hardening, and runtime protection concepts.
Secrets management (AWS Secrets Manager, Parameter Store, Vault) and certificate lifecycle management.
Security tooling across the SDLC: SAST/DAST/SCA, IaC scanners (Checkov/tfsec), container scanners (Trivy/Grype), secrets scanners.
Observability and SIEM concepts (CloudWatch, Datadog, OpenTelemetry, structured logging, log/event correlation).
Scripting and automation skills (e.g., Bash, Python, or Node.js).
Familiarity with modern web delivery (Next.js build/deploy patterns, CDN/edge, API gateway/BFF considerations) and their security implications.

Soft Skills (What sets you apart)

Ownership: You take accountability for security, reliability, delivery outcomes and continuous improvement.
Pragmatism: You balance risk and velocity, choosing controls that protect the business without slowing teams down.
Problem solving: You approach incidents and security issues with structured thinking and data.
Communication: You explain complex security risks in clear, actionable terms to engineers, leadership and non-technical stakeholders.
Continuous learning: You stay current with cloud security practices, tooling, attacker techniques and regulatory standards.

Education

Bachelor’s degree in Computer Science, Information Systems, Cyber Security or a related field (or equivalent practical experience).
Relevant certifications (e.g., AWS Security Specialty, CISSP, CCSP, CKS, OSCP, ISO 27001 Lead Implementer/Auditor) are a plus.

Nice to Have

Experience supporting global retail/e-commerce platforms with high availability, performance and regulatory requirements.
Experience with PCI-DSS scoping, GDPR-aligned data protection, and audit-ready operational processes.
Experience implementing distributed tracing, SLO-based operational models and security telemetry pipelines.
Experience enabling self-service developer platforms (templates, golden paths, paved roads for security).
Familiarity with Zero Trust architectures, service mesh security, and API gateway protection patterns.

We live and breathe Rebellious Self Expression at Dr. Martens, and there are 3 core values at the heart of it. They never stand alone, but work together as a balancing act of rights and responsibilities to support how we work together at DMs. BE YOURSELF. ACT COURAGEOUSLY. SHOW YOU CARE.

At DM your technical capability will go hand in hand with the below:

Great relationship management that delivers results through effective teamwork.
You’ll be a proud custodian to our DM’s culture, embodying what we stand for and encouraging others to do the same.
You’ll help build a highly engaged team – ensuring a collaborative culture and providing guidance and support to other team members.
You will take ownership for your own development, proactively seeking out feedback to build self-awareness.
You will bring the outside-in; you’ll share best practice across the team/business and encourage idea sharing as well as collaborative problem solving.
You’ll lead the way and role model on all things DE&I and wellbeing.

Apply Now

Jobseeker tools

Employer Tools

Browse

Stay Connected