DevSecOps Internal Auditor

We are seeking a highly skilled and detail-oriented DevSecOps Internal Auditor to join our Risk and Security team. This hybrid role combines the hands-on engineering expertise of DevSecOps with the critical oversight of an auditor. The ideal candidate will be responsible for designing, implementing, and continuously improving secure development and operational practices while auditing systems, processes, and pipelines to ensure compliance with security and risk management requirements.

This position plays a key role in ensuring that security is integrated across the entire software development lifecycle (SDLC), from development to deployment and operations, through automation, policy enforcement, and continuous monitoring.

WHAT YOU'LL DO

Engineering Responsibilities

• Design, build, and maintain secure CI/CD pipelines with embedded security controls.
• Implement and manage automated security tools for static and dynamic code analysis, container scanning, secret detection, and infrastructure-as-code validation.
• Collaborate with development, QA, and operations teams to integrate security into agile workflows and DevOps practices.
• Identify and remediate vulnerabilities in source code, dependencies, container images, and cloud configurations.
• Maintain and improve security infrastructure, including IAM policies, logging, monitoring, and alerting systems.
• Champion "security as code" practices and drive adoption of DevSecOps principles across teams.

Auditing & Risk Responsibilities:

• Conduct regular security audits and reviews of infrastructure, code repositories, build pipelines, and deployment processes.
• Monitor compliance with internal security standards, industry best practices, and regulatory requirements (e.g., SOC 2, ISO 27001, NIST).
• Document and report findings, recommend remediation, and track resolution through completion.
• Develop and maintain security baselines, controls, and metrics for secure software delivery.
• Support incident response efforts, ensuring evidence collection and root cause analysis are performed in alignment with audit requirements.
• Provide technical input into risk assessments and contribute to threat modeling and security reviews.

QUALIFICATIONS

• Bachelor's degree in Computer Science, Information Security, or a related field (or equivalent work experience).
• 5+ years of experience in DevSecOps, application security, or infrastructure security.
• Strong hands-on experience with CI/CD tools (e.g., Jenkins, GitLab CI/CD, GitHub Actions).
• Familiarity with containerization and orchestration technologies (Docker, Kubernetes).
• Proficiency with scripting languages (Python, Bash, etc.) and infrastructure-as-code tools (Terraform, CloudFormation).
• Experience conducting audits or assessments aligned to frameworks like SOC 2, NIST, ISO 27001, or CIS Benchmarks.
• In-depth knowledge of cloud security (AWS, Azure, or GCP) and security automation practices.
• Understanding of vulnerability management, secure coding practices, and application threat modeling.
• StateRAMP, GovRAMP, or FedRAMP experience

PREFERRED SKILLS

• Industry certifications such as CISSP, CISA, OSCP, GIAC, or AWS/GCP Security Engineer.
• Experience with security monitoring tools (e.g., Snyk, Aqua, Prisma Cloud, SonarQube, or similar).
• Familiarity with enterprise risk management practices and GRC tools.
• Strong analytical and communication skills, with the ability to document technical issues and collaborate across teams

3391