Role Overview
- Opexor is seeking a DevSecOps Engineer to integrate security controls into CI/CD pipelines and support secure software delivery for a regulated financial services environment.
- The role will implement SAST, SCA, secrets scanning, dependency scanning, DAST, security gates, vulnerability workflows, SIEM alerts, compliance evidence, and secure pipeline controls.
-
Key Responsibilities
- ntegrate DevSecOps controls into Azure DevOps pipelines.
- Configure SAST, SCA, secrets scanning, dependency scanning, DAST, and optional IaC or container scanning.
- Implement SonarQube or equivalent code quality and security gates.
- Define and implement security gate thresholds for critical, high, medium, and low findings.
- Configure scan result publishing and developer feedback in pull requests and pipeline reports.
- Support vulnerability management workflows, including findings ingestion, SLA tracking, remediation backlog, re-test, and closure.
- Map DevSecOps controls to OWASP Top 10, SAMA, NCA, PCI-DSS, or equivalent security frameworks.
- Integrate critical findings and pipeline failures with SIEM or incident management workflows.
- Support ITSM integration for change and release evidence.
- Ensure secrets are managed through approved vaulting solutions and are not exposed in pipeline logs.
- Support AI-aware DevSecOps controls, including human validation, audit logging, and governed recommendation handling where applicable.
- Prepare DevSecOps runbooks, evidence templates, and KT materials.
-
Required Skills and Experience
- 7+ years of technology or cybersecurity experience.
- 4+ years of DevSecOps implementation experience.
- Hands-on experience with Azure DevOps security tool integration.
- Experience with SAST, SCA, secrets scanning, dependency scanning, DAST, and vulnerability management.
- Experience with SonarQube or equivalent quality gate tools.
- Strong understanding of OWASP Top 10, secure coding practices, CVSS, vulnerability prioritization, and remediation workflows.
- Experience with Azure Key Vault or equivalent secrets management tools.
- Experience integrating security alerts with SIEM, SOC, or incident management workflows.
- Experience preparing audit-ready evidence for regulated environments.
- Familiarity with SAMA, NCA, PCI-DSS, or similar compliance frameworks is preferred.
- Strong scripting and automation skills are preferred.
- Understanding of AI-aware security controls is a plus.
Required Certifications
- Certified Secure Software Lifecycle Professional, CSSLP.
- DevSecOps Foundation or DevSecOps Engineering certification.
- Microsoft Certified: DevOps Engineer Expert.
- Certified Kubernetes Security Specialist, CKS, is a plus.
- CISSP, CISM, CompTIA Security+, or equivalent security certification is a plus.
Expected Deliverables
- DevSecOps scan integration.
- SAST, SCA, secrets scan, dependency scan, and DAST pipeline tasks.
- Security gate policies and thresholds.
- Vulnerability workflow configuration.
- Compliance control mapping.
- Scan reports and audit evidence templates.
- SIEM alerting integration design or configuration.
- DevSecOps runbooks and handover materials.