Principal DevSecOps Engineer

United States(flexible)
Main Location
Raleigh, NC, United States
Open jobs

Our Customers Develop Software at the Speed of Ideas

CloudBees is powering the continuous economy by offering the world’s first end-to-end continuous software delivery management system (SDM). For millions of developers and product teams driving innovation for businesses large or small, SDM builds on continuous integration (CI) and continuous delivery (CD) to enable all functions and teams within and around the software delivery organization to best work together to amplify value creation.

CloudBees is the continuous integration (CI), continuous delivery (CD) and application release automation (ARA) powerhouse built from the commercial success of its products and its open source leadership as the largest contributor to Jenkins and a founding member of the Continuous Delivery Foundation (CDF). With a globally distributed workforce of more than 500 employees, the company reflects the global nature of the DevOps movement. We believe in walking the talk! From startups with full-stack developers practicing NoOps to large Fortune 100 companies, CloudBees enables all software-driven organizations to intelligently deploy the right capabilities at the right time.

Over 3,500 of the world’s best known brands and over 50% of the Fortune 500, invest in CloudBees because of its ability to work across any cloud, in any development environment and to balance corporate governance and control with developer flexibility and freedom.

CloudBees is home to the world’s leading DevOps experts helping thousands of companies harness the power of “continuous everything” and putting them on the fastest path from great idea, to great software, to great business value.

The Product Security organization oversees engineering security practices across the entire product organization and therefore the securing of multiple products (both on-prem builds and SaaS). Product Security is multi-faceted with respect to the counterparts it is interacting with: Engineering teams, Product Management, Product Marketing, Legal, and external customers and is at the cross-road of everything we build.

You will be involved in a vast array of endeavors to build our security program, yet have a specific focus on application security, for both on-prem and SaaS offerings. You will act as the Subject Matter Expert and work with the various teams on security engineering topics.

Location / TimeZone: CEST or US-Eastern Time. 

What You’ll Do

  • Work with product engineering teams to architect solutions that are inherently secure, and aligns with our compliance targets.
  • Build and automate our DevSecOps platform leveraging CI/CD practices, automating/coding everywhere possible.
  • Risk Assessments/Threat modeling service or application features.
  • Participate in triaging and acting on our HackerOne program. 
  • Perform penetration testing as required.
  • Be part of our Incident Response team.
  • Create and execute training exercises to further educate developers’ security knowledge.
  • Code the necessary automation to ensure ongoing adherence to security practices/policies.
  • Help raise the profile of security across engineering. Help the security champions in teams.

What The Role Requires

  • Prior experience (3+ years) working within Application or Information Security teams.
  • 3+ years scripting development experience (e.g. Go, Python, Ruby -- bonus for python/django).
  • A passion for security, and the hacker mentality of doing whatever it takes to figure out and solve a problem.
  • Proficiency and in-depth understanding of cloud environments, AWS and/or GCP, docker and kubernetes. 
  • Strong understanding of the OWASP Top Ten security risks and how to mitigate them.
  • Strong understanding of authentication/authorization frameworks (i.e. OAuth2, SSO)
  • Experience with tools for static/dynamic code analysis (e.g. Sonarqube, OWASP’s).
  • Proficiency with several app scanners, such as Arachni, ZAP, Anchore.
  • The ability to write a solid root-cause-analysis / explanation of a security issue is critical - including how to exploit, likelihoods of exploit, etc.
  • Exposure to compliance frameworks (e.g. GDPR, NIST 800 series, SOC2) a plus.
  • Up-to-date knowledge of latest security vulnerabilities (e.g. reported CVEs) against web application frameworks and libraries, including an understanding of their impact and exploitation techniques.

At CloudBees, we truly believe that the more diverse we are, the better we serve our customers. A global community like Jenkins demands a global focus from CloudBees. Organizations with greater diversity—gender, racial, ethnic, and global—are stronger partners to their customers. Whether by creating more innovative products, or better understanding our worldwide customers, or establishing a stronger cross-section of cultural leadership skills, diversity strengthens all aspects of the CloudBees organization.

In the technology industry, diversity creates a competitive advantage. CloudBees customers demand technologies from us that solve their software development, and therefore their business problems, so that they can better serve their own customers. CloudBees attributes much of its success to its worldwide work force and commitment to global diversity, which opens our proprietary software to innovative ideas from anywhere. Along the way, we have witnessed firsthand how employees, partners, and customers with diverse perspectives and experiences contribute to creative problem solving and better solutions for our customers and their businesses.

Help us maintain the quality of jobs posted on PowerToFly. Let us know if this job is closed.
We're a community of women leveraging our connections into top companies to help underrepresented women get the roles they've always deserved. Simultaneously, we work to build truly inclusive hiring processes and environments where women can thrive and not just survive.
Are you hiring? Join our platform for diversifiying your team