Sr. DevSecOps Engineer
The College Board, the national educational organization, is conducting a search for a Sr. DevSecOps Engineer for our IT department. This position is based in our Reston, VA office.
About the College Board
We are a mission-focused, not-for-profit membership organization that believes in promoting innovation, equity, and excellence for generations of students. Our members include more than 6,000 of the world’s leading colleges, schools, and other educational organizations. We have over 1,900 employees in 13 offices across the continental U.S. and Puerto Rico.
We are advocates for children and parents; we empower teachers and educators, and we are a strong presence in thousands of schools and communities across the country through programs and services - the SAT, Advanced Placement (AP®) and Pre-AP are just a few. Our work falls broadly into four categories: College Readiness, College Connection & Success, Student Opportunities, and Advocacy.
About the Role
The College Board is rapidly transforming itself into an agile organization, embracing DevSecOps and cloud-native systems, and focused on improving speed and security of service delivery in support of an important mission. To enable this mission, the College Board is seeking a DevSecOps Engineer to drive the development of innovative and transformative security solutions in our DevSecOps and cloud transformation initiatives. The DevSecOps Engineer is a highly technical and creative contributor to a bleeding edge cloud and application security team enabling the agile development of secure and reliable cloud-based solutions.
Responsibilities of the role
- Act as a liaison between ISO Partner teams (both in IT and outside of IT) and the Information Security Office.
- Work to promote, grow and enhance the ISO Partners program to promote Security Champions and enable dev teams to shift left.
- Mentors developers, through discussions, presentations, pair-programming, to demonstrate best practices in developing secure code and securing application infrastructure.
- Perform analysis of application architectures and security patterns and participate in EARC sessions as needed.
- Develop threat models in conjunction with architects and software engineering staff.
- Implement security tooling and support common integrated development environments.
- Participate and/or lead application vulnerability reviews and remediations.
- Document and communicates application risks and vulnerabilities to technical stakeholders.
- Develop and deliver Secure Developer Training and assists Dev teams with the various platforms we support, the candidate will also support tool operations for our platforms.
- Participate in planning and grooming as part of agile ceremonies and manage assigned Epics.
- Supports CI/CD and build pipelines with an understanding of quality and security gates and enables integration of automated solutions to increase security.
- Performs architectural reviews that are meant to identify and remedy architectural security flaws both as part of EARC sessions and in consulting engagements with dev teams
- Identifies application security weaknesses and provides recommendations to correct them.
- Provide risk assessments and data driven recommendations to management to increase or improve our security footprint.
- Work with broader ISO team on incident response and operational/strategic initiatives.
- Responsible for the use and operational maintenance of security-related systems and tools, actively works on tuning, enhancements, upgrades, and tool integrations.
- Evaluates and promotes new and existing security standards, tools, and solutions with a focus on automation and securing build pipelines for a shift left approach.
Qualifications needed for the role
Education/Years of Experience:
- Bachelor’s Degree in a related field plus additional related college courses or professional training and four to seven years of progressively responsible, directly related, experience required.
- One or more security certifications or a CISSP certification would be ideal
- Knowledge of secure development principles and of DevSecOps
- Must have strong knowledge in cloud application development.
- Must have a thorough understanding of web protocols TCP/IP, UDP, HTTP, HTTPS, SSL, TLS, etc.
- Protocol analysis and forensic analysis experience is a plus.
- Experience with the following source code repositories is a plus: SVN, GIT, BitBucket.
- Knowledge of common vulnerabilities such as cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors.
- Understanding of modern software engineering principles and practices as well as modern/Web 2.0/3.0 tools and frameworks.
- Familiar with common frameworks, spanning frontend and backend (Angular, Bootstrap, Node, Struts, Spring, NET MVC, etc.).
- Experience with RESTful web services and API’s
- Experience with Web Application Firewall (WAF).
- Experience with micro service architecture
- Experience with AWS and familiar with AWS services, components and common architecture patterns.
- Familiar with AWS cloud architecture security.
- Vendor SaaS and PaaS security products such as WhiteHat Sentinel
- DevSecOps or DevOps experience and CI/CD model
- Windows and/or Linux hardening techniques
- Docker hardening techniques
- Traffic and log analysis from a security perspective
- Familiar OWASP/ SANS application vulnerabilities
- Experience with Secure Code Reviews
- Experience with Web and Application servers such as IIS, Apache, Tomcat
- Ability to travel when required.
We offer an outstanding benefits package that includes up to four weeks of paid time off each year, comprehensive health insurance, a generous retirement savings plan, tuition reimbursement, ongoing professional development and training, and more.
Our mission is to clear a path for all students to own their future.
College Board is proud to be an equal opportunity employer. We are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or veteran status.