Hitachi Vantara, a wholly-owned subsidiary of Hitachi, Ltd., guides our customers from what's now to what's next by solving their digital challenges. Working alongside each customer, we apply our unmatched industrial and digital capabilities to their data and applications to benefit both business and society. More than 80% of the Fortune 100 trust Hitachi Vantara to help them develop new revenue streams, unlock competitive advantages, lower costs, enhance customer experiences, and deliver social and environmental value.The Role
We are seeking DevSecOps Engineer
Role - DevSecOps Engineer
Total Experience - 6-10 Year
Location - HyderabadResponsibilities
The Senior Security Engineer is expected to be strong in multiple domains and provide significant leadership and contribution to the HV Product Security and Compliance team under the Sr. Director of Engineering Operations - Security and Compliance Unit. You are responsible for validating that HV products are designed and implemented to the highest security standards. You will be responsible for providing leadership for implementation of DevSecOps environment and the implementation of Secure Software Development Lifecycle (SSDLC) integration with the CI/CD pipelines for the product portfolio. You will work with multiple engineering teams to implement robust SSDLC practices., which requires interactions with other Product Security team members, as well as Development, Support, System admins, Engineering, System Administration, DBA's, and Networking team members, as well as Business Owners of applications.
You are expected to develop solutions to complex business problems and apply appropriate technologies while following security engineering best practices. You are also expected to mentor more junior engineers and be a security thought leader for the organization. A successful candidate will need a combination of technical, application, troubleshooting and communication skills, in addition to the ability to handle a mix of diverse tasks including evaluating, implementing and improving processes of Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) and manual penetration testing. This successful candidate is responsible for enabling and facilitating the engineering teams to implement automation of the security assessments, identify vulnerabilities, assess their risk, work with developers, QA analysts, application business owners, and others to identify, validate, remediate, or mitigate the risk of these vulnerabilities.
The ideal candidate has experience with both application development as well as information security concepts, is an effective communicator, and documents and produces report effectively. Experience in a similar role is preferred. She or he must work well in dynamic and often informal teams. She or he should also be able to coordinate disparate priorities and constraints on development teams, manage different personalities, and maintain objectivity and a strong understanding that security is just one of the business's activities.
• Enterprise and Cloud Security Planning - Work closely with Operations, IT, Product, and Engineering leadership to scope, execute, and complete programs related to public cloud, private cloud and corporate security
• Thorough knowledge of Application Security Vulnerability, Intellectual Property Audit and Export Control functions.
• Develop measurements and metrics for security performance
• An understanding of web services, applications, applied cryptography, and penetration testing
• An understanding of network and web related protocols (such as TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols)
• Demonstrable teamwork skills and resourcefulness
• Strong sense of ownership, urgency, and drive
• Sharp analytical abilities and proven design skills
• Experience in a manual application assessment, including Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST)
• Application scanning tools (AppSpider, Acunetix, Arachni, and others)
• Dynamic App Analysis tools (IBM AppScan, Burp, Zaproxy and others)
• Static Analysis tools (IBM ASoC, IBM AppScan, Fortify, Veracode and Checkmarx, and others)
• Security vulnerability aggregator/correlators (CodeDX, Threadfix, and others)
• DevOps or System Administration experience
• An ability to script or customize attack code as needed is a plus
• Ability to assist in the review of security events to evaluate the risk they present is a plus
• Guide the implementation of automation of SSDLC and integration into the CI/CD pipeline for products in the portfolio
• Assess and recommend implementation references for the product teams for a variety of technology stacks and enable the successful implementation of DevSecOps across the product portfolio.
• Ability to manually validate scan results to remove false positives, redundant, or duplicate data as well as to test for additional classes of vulnerabilities scanners can't report is a plus
• Provide timely and detailed reports, with proofs of findings, analysis of risk, and remediation advise and instructions
• Meet with the product engineering, server, and network teams to discuss vulnerability remediation. The technical ability to review the source code and provide examples of how to fix vulnerabilities, and/or to give clear instructions including commands to app teams is preferred
• Provide timely rescans and tests for potential new vectors to teams working to resolve vulnerabilities
• Utilize a ticketing system to report standard vulnerabilities and work with teams to ensure they are resolved
• Preferred candidates 5 + years of technical experience in the fields of secure application development, or cybersecurity operations
• Must be able to work independently and in a team environment
• Knowledge of OWASP Top 10 and SANS Top 25 Software Weaknesses
• Certification and/or training in Application Vulnerability Assessment, Pen Testing and Software Composition Analysis.
• Recognized industry level security certification such as CISSP, CSSLP, CEH, GWAPT, GSEC, GCIA, GPEN, CGWN, CXPN, or PWK, highly desirable
• Analyze, understand, and provide remediation plans for active threats and vulnerabilities.
• Automation mindset with scripting ability (e.g. Python, Bash, Java others) to develop an automation for the generation of benchmark and best practices
• Capable of describing the necessary concepts, technologies, and functionality using the right vocabulary at the right level of abstraction
• Comfortable with complex undocumented requirements and independent task research
• Professional, organized, and independent
• Reliable, self-motivated, and flexible individual who can collaborate well in a fast-paced environment
• Able to meet deadlines related to scheduled content updates, content changes for immediate release to customers and prospects, and software release dates
• Experience working with remote subject matter experts
• Excellent written and verbal communication skills in a team environment
• 5+ years of experience in application security
• 4-year college degree in Computer Science, Technical Communication, or related disciplineQualifications
We are an equal opportunity employer. All applicants will be considered for employment without attention to age, race, color, religion, sex, sexual orientation, gender identity, national origin, veteran or disability status.