DevSecOps Engineer Remote

We are seeking a highly skilled DevSecOps Engineer to help secure our AWS EKS Kubernetes environment and CI/CD pipelines as we prepare for a FedRAMP High Audit. We currently manage over 350 container images running on AWS EKS. While direct FedRAMP experience is not mandatory deep expertise in container security Kubernetes cloud security and automation is essential.

• Upgrade vulnerable container images in collaboration with the DevSecOps team thoroughly testing and promoting updates to production environments.
• Design develop and maintain automated container patching pipelines including:
  • Base image refresh automation
  • Rebuild triggers
  • Automated Pull Request (PR) generation
• Build and maintain vulnerability scanning workflows using Grype Trivy or similar tools as CI/CD pipeline gates preventing promotion of images that exceed defined CVE thresholds.

• Apply cloud hardening controls and maintain Terraform and Ansible code to enforce security configurations across AWS services and Kubernetes nodes.
• Ensure compliance with STIG and CIS Benchmark requirements.
• Analyze Kubernetes IAM configurations and RBAC policies to identify:
  • Overprivileged roles
  • Security misconfigurations
  • Violations of least-privilege principles
• Review and harden Kubernetes networking including:
  • Network policies
  • Namespace isolation
  • Service-to-service communication controls

• Build and manage Argo Workflows to orchestrate end-to-end patch automation including:
  • Vulnerability scanning
  • Remediation
  • Image rebuilding
  • Deployment automation
• Develop Python-based tools for:
  • Pipeline automation
  • Scan result parsing
  • Notification routing
  • Security remediation orchestration

• Own and manage GitHub-based development workflows including:
  • Branching strategies
  • Pull request creation and review
  • Code quality standards
  • Merge gate enforcement
• Conduct code reviews to ensure compliance with security quality and operational standards.
• Maintain production readiness practices including:
  • Testing and validation
  • Peer reviews
  • Rollback procedures
  • Deployment verification

• Audit certificate usage across Kubernetes clusters and CI/CD pipelines.
• Ensure proper certificate issuance validity monitoring and automated rotation.
• Verify secrets are regularly rotated and not hardcoded or unnecessarily exposed.
• Scan repositories source code and infrastructure configurations for exposed secrets using Hedgehog and other open-source secret detection tools.
• Scan S3 buckets for sensitive data exposure and implement preventive security controls.

• Review network WAF and Istio logs to understand existing traffic flows and service communication patterns.
• Support network segmentation initiatives and implementation of a deny-by-default security posture.
• Develop automations for WAF rule creation and optimization based on traffic analysis and threat intelligence.

• Leverage Claude AI to accelerate:
  • Security research
  • Remediation planning
  • Development of Python-based automation tools
  • Security analysis activities with no production impact

• AWS EKS
• Kubernetes
• Terraform
• Ansible
• ArgoCD
• Argo Workflows
• GitHub
• GitLab

• FedRAMP
• STIG
• CIS Benchmarks
• RBAC
• IAM
• Okta / OIDC
• SAML
• Web Application Firewall (WAF)
• Istio Service Mesh
• Network Segmentation
• Certificate Management
• Secrets Rotation
• Least Privilege Access Controls

• Grype
• Trivy
• Anchore
• Hedgehog
• S3 Security Scanning
• Vulnerability Scanning
• Secrets Detection Tools

• Python
• CI/CD Pipeline Development
• Code Reviews
• Pull Request Management
• Patch Automation

• Claude AI
• AI-Assisted Coding & Automation