Role description
Job Description for a Senior DevSecOps or DevOps Engineer / Security Tester
Must-Have Skills
- Min 5 -8yrs years experience in DevSecOps or DevOps along with Application Security, or Security Engineering
- Expert-level CI/CD pipeline engineering — building, configuring, and optimising end-to-end security-integrated pipelines (any major CI/CD platform; GitLab CI/CD preferred)
- SAST — hands-on experience implementing and tuning static analysis tools (Semgrep preferred)
- DAST — proficiency with dynamic application security testing tools (Burp Suite and OWASP ZAP preferred)
- SCA & SBOM — experience with software composition analysis and SBOM generation/tracking (Dependency-Track, CycloneDX/CDXGen preferred)
- Secrets scanning — experience with secrets detection tools integrated into CI pipelines (Detect-Secrets preferred)
- Container & image scanning — experience with container security scanning tools (Trivy preferred)
- Vulnerability management platforms — operating centralised vulnerability aggregation and tracking platforms, managing triage, deduplication, false positive handling, and severity-based SLAs (DefectDojo preferred)
- Secrets management — experience with vault-based secrets management, rotation policies, and least-privilege enforcement (HashiCorp Vault preferred)
- Observability & security monitoring — experience with observability platforms for security log monitoring, ing, and dashboarding (Datadog preferred)
- Sensitive data detection — hands-on experience with PII detection and redaction in application logs across production and non-production environments (Datadog Sensitive Data Scanner / SDS preferred)
- Client-side security — experience with client-side web script monitoring and protection tools (SourceDefense preferred)
- Automated dependency management — experience with automated dependency update tools, including MR review and pipeline failure triage (Dependabot or Renovate preferred)
- Infrastructure scanning — experience with infrastructure vulnerability scanning tools (Qualys preferred)
- Code quality — experience with code quality and static analysis platforms (SonarQube preferred)
- Infrastructure as Code — experience managing security configurations through IaC tools (Terraform preferred)
- Container & cloud security — strong knowledge of Docker, Kubernetes, and securing containerised workloads
- Security standards expertise — deep understanding of OWASP Top 10, CVSS scoring, CWE classification, ASVS, and secure SDLC practices
- Governance & process design — proven ability to define security policies, release criteria, RBAC models, and audit-ready documentation
- Leadership & communication — ability to influence engineering teams, present security risk assessments to stakeholders, and mentor junior security engineers
Key Responsibilities
- Security Pipeline Architecture — Design and maintain automated security scanning stages (SAST, DAST, SCA, secrets detection, container scanning) within CI/CD pipelines, defining quality gates and failure criteria
- Vulnerability Lifecycle Management — Own end-to-end vulnerability management — detection, triage, severity classification, remediation tracking, SLA enforcement, and closure
- Release Security Governance — Conduct release security reviews, validate security posture before production deployments, define release blocking criteria, and participate in Go/No-Go decisions
- Secrets & Access Management — Oversee secrets management, credential rotation compliance, API key audits, and RBAC governance across security tooling and infrastructure
- Security Monitoring & Incident Response — Configure sensitive data detection and PII scanning in application logs, monitor security events, and lead triage of security incidents including zero-day response
- Service Onboarding & Standards — Onboard new services into security coverage, define security requirements based on industry standards (OWASP, ASVS), and maintain security runbooks and documentation
- Stakeholder Leadership — Collaborate with development leads, architects, QA, DevOps, and information security teams; escalate risks with evidence-based recommendations; drive security program maturity
Good to Have
- Experience securing e-commerce platforms (payments, PII handling, order management)
- Familiarity with Fluent Commerce or similar OMS platforms
- Experience with CommerceTools or similar e-commerce platform API client security — credential auditing, scope reviews, and least-privilege enforcement
- Familiarity with ReportPortal or similar test reporting platforms
- Experience generating and consuming scan reports in SARIF, JSON, or XML formats
- Penetration testing experience or coordination with external pen-test vendors
Skills
security testing,devsecops,devops,cicd pipeline,
About UST
UST is a global digital transformation solutions provider. For more than 20 years, UST has worked side by side with the world’s best companies to make a real impact through transformation. Powered by technology, inspired by people and led by purpose, UST partners with their clients from design to operation. With deep domain expertise and a future-proof philosophy, UST embeds innovation and agility into their clients’ organizations. With over 30,000 employees in 30 countries, UST builds for boundless impact—touching billions of lives in the process.
