[Remote] DevSecOps Engineer – Security Automation & Pipeline Development, 37294688

Note: The job is a remote job and is open to candidates in USA. Cypress HCM is seeking a DevSecOps Engineer to enhance security within their AWS EKS Kubernetes environment and CI/CD pipeline in preparation for a FedRAMP High audit. The role involves upgrading vulnerable containers, maintaining security settings, and developing automated patching pipelines while ensuring compliance with security standards.

Responsibilities

• Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
• Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
• Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
• Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
• Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
• Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
• Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
• Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
• Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
• Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
• Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
• Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
• Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
• Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
• Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
• Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
• Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks

Skills

• Deep familiarity with container technology and security
• Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
• Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
• Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
• Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
• Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
• Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
• Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
• Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
• Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
• Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
• Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
• Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
• Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
• Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
• Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
• Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
• Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks
• AWS EKS
• Kubernetes
• Terraform
• Ansible
• ArgoCD
• Argo Workflows
• GitLab
• GitHub
• FedRAMP
• STIG
• CIS Benchmarks
• RBAC
• IAM
• Okta/OIDC
• SAML
• WAF
• Istio
• Network Segmentation
• Certificate Management
• Secrets Rotation
• Least Privilege
• Grype
• Anchore
• Hedgehog
• S3 Scanning
• Vulnerability Scanning
• Secrets Detection
• Python
• CI/CD Pipelines
• Code Review
• PR Management
• Patch Automation
• Claude
• AI-Assisted Coding

Company Overview