Staff DevSecOps Engineer

Ever since we started in 2007 Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. Its why weve become the #1 home solar and battery company in America. Today were on a mission to change the way the world interacts with energy and were building a company and brand that puts power at the center of life. And were doing it by designing a dynamic culture where employee development well-being and safety come first. Were unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle from sale through installation and beyond so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote with occasional visits to a local office or our corporate headquarters for team-building training and collaborative project work. These on-site sessions are designed to strengthen connections share insights and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will provide advance notice whenever on-site attendance is required making these times purposeful and rewarding.

Position Overview:

We are seeking a highly experienced and proactive Staff DevSecOps Engineer to lead the development and implementation of our DevSecOps program. In this critical role you will be responsible for architecting and integrating security best practices into our software development lifecycle (SDLC) and CI/CD pipelines. Your deep expertise will be instrumental in establishing and maturing robust vulnerability management static application security testing (SAST) software composition analysis (SCA) and secrets scanning processes to proactively identify assess and mitigate security risks. You will work closely with development operations and security teams providing mentorship and fostering a security-first culture.

Key Responsibilities:

• Architect and Implement DevSecOps Program: Design build mature and maintain a comprehensive DevSecOps program including strategy policies standards and procedures. Drive the adoption of DevSecOps practices across the organization.

• CI/CD Pipeline Security: Architect implement and optimize the integration of security tools and processes (SAST DAST SCA secrets scanning) into CI/CD pipelines to ensure automated and effective security checks at every stage of development.

• Advanced Vulnerability Management: Lead and enhance the vulnerability management lifecycle including advanced identification techniques risk-based assessment strategic prioritization remediation tracking and comprehensive reporting of vulnerabilities across applications and infrastructure.

• Static Application Security Testing (SAST): Implement configure manage and scale SAST tools to identify security flaws in source code. Work with development teams to remediate findings and provide expert guidance on secure coding practices and architectural patterns.

• Software Composition Analysis (SCA): Deploy manage and optimize SCA tools to identify and mitigate risks associated with open-source components and third-party libraries including known vulnerabilities and license compliance issues. Develop strategies for managing supply chain security.

• Secrets Scanning & Management: Implement and manage advanced tools and processes for detecting and preventing secrets (API keys passwords certificates) leakage in code repositories configuration files and CI/CD pipelines. Champion and enforce secure secrets management practices and solutions.

• Security Automation and Orchestration: Design and implement automation and orchestration for security testing monitoring and response processes to improve efficiency effectiveness and speed of remediation.

• Security Champion Mentorship & Training: Act as a senior security champion providing expert guidance mentorship training and support to development operations and junior security team members on secure development practices and DevSecOps principles.

• Incident Response Leadership: Play a key role in security incident response activities including investigation containment remediation and post-mortem analysis.

• Stay Current & Innovate: Keep abreast of emerging security threats vulnerabilities advanced attack techniques and industry best practices in DevSecOps. Drive innovation in security tooling and processes.

Required Qualifications:

• Bachelors degree in Computer Science Information Security or a related field or equivalent practical experience.

• 8 years of progressive experience in DevSecOps Application Security or Security Engineering roles with a significant portion at a senior or lead level.

• Proven track record of designing implementing and leading successful DevSecOps programs and integrating security deeply into CI/CD pipelines.

• Expert-level hands-on experience with SAST tools (e.g. GHAS Checkmarx Veracode Semgrep).

• Expert-level hands-on experience with SCA tools (e.g. OWASP Dependency-Check Snyk Black Duck Mend).

• Extensive experience with secrets scanning tools (e.g. GitLeaks TruffleHog HashiCorp Vault CyberArk).

• Deep understanding and experience with advanced vulnerability management principles and tools (e.g. Wiz Orca Nessus OpenVAS).

• Proficiency in multiple scripting languages (e.g. Python Bash PowerShell Go).

• Strong experience with serverless/containerization technologies (e.g. Docker Kubernetes) and their security hardening and monitoring.

• In-depth knowledge of cloud security principles services and best practices (AWS Azure GCP).

• Expert understanding of common web application vulnerabilities (OWASP Top 10 SANS Top 25) and advanced mitigation techniques.

• Strong analytical strategic thinking and problem-solving skills.

• Excellent communication presentation and interpersonal skills with the ability to influence and collaborate effectively with technical and non-technical stakeholders at all levels including leadership.

• Demonstrated experience mentoring and leading junior engineers.

Preferred Qualifications:

• Masters degree in Computer Science Information Security or a related field.

• Relevant advanced security certifications (e.g. CISSP-ISSAP/ISSEP CSSLP OSCP OSCE GIAC certifications like GCSA GWEB GCIH GDSA).

• Extensive experience with Infrastructure as Code (IaC) security (e.g. Terraform CloudFormation Pulumi) and tools like Terrascan Checkov.

• Experience with Dynamic Application Security Testing (DAST) tools and IAST.

• Experience in developing and presenting security dashboards and metrics to executive leadership.

• Published security research or contributions to open-source security projects.

Recruiter:

Please note that the compensation information that follows is a good faith estimate for this position only and is provided pursuant to acts such as The Equal Pay Transparency Act. It assumes that the successful candidate will be located in markets within the United States that warrant the compensation listed.Candidates in locations outside this local area may have a different starting salary range for this opportunity which may be higher or lower.Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Sunrun provides a variety of benefits to employees including health insurance coverage a wellbeing program life and disability insurance a retirement savings plan paid holidays and paid time off (PTO). Other rewards may include annual bonus eligibility based on both company and individual performance as well as short- and long-term incentives and program-specific awards. Compensation decisions will not be based on a candidates salary history. Please note: Employee benefits do not apply to our Fusion and Street Sales roles which are 100% commission-based (1099-NEC) positions.

This description sets forth the general nature and level of the qualifications and duties required of employees in this job classification as well as some of the essential functions of this role. It is not designed to be a comprehensive inventory of all essential duties and qualifications. If you have a disability or special need that may require reasonable accommodation in order to participate in the hiring process or to perform this role if you are offered employment please let us know by contacting us at .

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind. Our commitment to Diversity Inclusion & Belonging drives our ability to build diverse teams and develop inclusive work environments. At Sunrun we believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. We are committed to equal employment opportunities without consideration of race color religion ethnicity citizenship political activity or affiliation marital status age national origin ancestry disability veteran status sexual orientation gender identity gender expression sex or gender pregnancy or any other basis protected by law. We also consider qualified applicants with criminal convictions consistent with applicable federal state and local law.