[Remote] DevSecOps Engineer – Security Automation & Pipeline Development, 37294688

Remote Full-time
Note: The job is a remote job and is open to candidates in USA. Cypress HCM is seeking a DevSecOps Engineer to enhance security within their AWS EKS Kubernetes environment and CI/CD pipeline in preparation for a FedRAMP High audit. The role involves upgrading vulnerable containers, maintaining security settings, and developing automated patching pipelines while ensuring compliance with security standards.ResponsibilitiesUpgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to productionApply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarksDesign and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generationBuild and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholdsBuild and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deploymentWrite Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestrationOwn GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcementConduct code reviews ensuring changes meet security, quality, and operational standards before production promotionMaintain production readiness practices including testing, peer review, rollback procedures, and deployment validationAnalyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principlesReview and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controlsAudit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposedScan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilitiesScan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controlsReview network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown postureDevelop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligenceLeverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasksSkillsDeep familiarity with container technology and securityUpgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to productionApply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarksDesign and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generationBuild and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholdsBuild and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deploymentWrite Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestrationOwn GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcementConduct code reviews ensuring changes meet security, quality, and operational standards before production promotionMaintain production readiness practices including testing, peer review, rollback procedures, and deployment validationAnalyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principlesReview and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controlsAudit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposedScan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilitiesScan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controlsReview network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown postureDevelop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligenceLeverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasksAWS EKSKubernetesTerraformAnsibleArgoCDArgo WorkflowsGitLabGitHubFedRAMPSTIGCIS BenchmarksRBACIAMOkta/OIDCSAMLWAFIstioNetwork SegmentationCertificate ManagementSecrets RotationLeast PrivilegeGrypeAnchoreHedgehogS3 ScanningVulnerability ScanningSecrets DetectionPythonCI/CD PipelinesCode ReviewPR ManagementPatch AutomationClaudeAI-Assisted CodingCompany OverviewCypress HCM is a staffing and recruiting company providing technology and creative recruiting solutions. It was founded in 2005, and is headquartered in Walnut Creek, California, USA, with a workforce of 51-200 employees. Its website is http://cypresshcm.com.

Apply Now →
← Back