Security DevOps Engineer (DevSecOps)

Position Overview:

The DevSecOps Security Engineer will work closely with the Security Manager to ensure the proper security stance is maintained for the information system. This role is primarily responsible for ensuring that all GitHub code scans are performed and meet VA 6500 and NIST compliance standards.

Code Scanning & Vulnerability Management:

• Perform GitHub code scanning using Dependabot and CodeQL.
• Conduct vulnerability analysis and manage secrets to ensure compliance with security standards and documentation/reporting for Authority to Operate (ATO) security authorization for FISMA information systems.
• Document findings, recommendations, and improvements. Generate regular reports on code quality metrics.

Threat Modeling & Risk Assessment:

• Conduct Threat Model analysis using Microsoft Threat Modeling Tool.
• Research and address potential security issues for products, services, interfaces, protocols, etc., which may be introduced into the MHV environment.

Code Quality & Optimization:

• Perform code quality assessments using static analysis tools to identify code smells, anti-patterns, and areas for improvement.
• Conduct security scanning to identify vulnerabilities (e.g., OWASP Top Ten) in the codebase.
• Optimize code performance, resolving bottlenecks, memory leaks, and resource-intensive areas.

CI/CD Integration & Automation:

• Integrate code analysis tools into CI/CD pipelines, ensuring code quality checks are automated.
• Develop scripts and automation tools using Python, Shell, or other scripting languages to streamline processes.

Documentation & Reporting:

• Prepare system, boundary, and authorization architectural diagrams using Visio.
• Support the ATO process by documenting scans, creating diagrams, gathering artifacts, and addressing Security Control Assessments.

Collaboration & Cross-functional Support:

• Work effectively with cross-functional teams, including developers, testers, and project managers, to ensure secure and efficient code releases

Cloud Infrastructure & Containerization:

• Understand and work within AWS cloud infrastructure.
• Utilize virtualization technologies such as VMware and containerization tools like Docker, Rancher, Kubernetes, and AWS EKS.

• Proven experience with GitHub code scanning tools (Dependabot, CodeQL).
• Proficiency in security scanning and vulnerability management (e.g., OWASP Top Ten).
• Strong scripting and automation skills (Python, Shell).
• Familiarity with Agile and DevOps methodologies.
• Knowledge of security frameworks (NIST, VA 6500).
• Hands-on experience with threat modeling tools (e.g., Microsoft Threat Modeling Tool).
• Ability to create technical diagrams and documentation.

• Familiarity with FISMA compliance and ATO processes.
• Experience with performance optimization tools.
• Strong communication skills for cross-functional collaboration.

• Ability to obatain and maintain a Public Trust