DevSecOps & Secure-SDLC Engineer
Toronto - Bremner, Canada
Company:
MMC CorporateDescription:
Marsh McLennan is seeking candidates for the following position. This role will be based in Canada. This is a hybrid role that has a requirement of working at least three days a week in the office.
Join our dynamic team as a DevSecOps & Secure-SDLC Engineer, where you will play a pivotal role in leading initiatives that enhance our Secure Software Development Lifecycle (Secure-SDLC) in alignment with our Application Development Security Policy. In this position, you will be responsible for selecting and standardizing application security tools through comprehensive vendor assessments and proof of concepts. You will integrate Secure-SDLC requirements into our DevSecOps processes, ensuring that our application security standards are robust and tailored for agile development methods across both traditional and cloud architectures, including container workloads.
DevSecOps & Secure-SDLC Engineer
We will count on you to:
Advise the application security leadership on best practices and standards around application security tools with main focus on shift-left, create predictable CI/CD pipeline processes, and enable application teams to develop new capabilities securely, and free from security defects, by design
Assess security tools and related processes currently used within the various Software Development Life Cycle processes to identify improvements opportunities, and rationalize the tools set
Select new application security tools including vendor/tool assessments and conduct full POC to prove that the security solutions/products are fit-for-purpose and fit-for-use
Draft documentations for the Secure-SDLC and DevSecOps to illustrate the frameworks and its process guidelines to internal customers ensuring the style is palatable and easy to navigate
Assess impact of new publications from the security industry (e.g. NIST 800-XXX, ISO 2700X:2022, etc) on the company’s AppSec programs
Research new trends and advise the application security leaderships on impact of the new trends as they relate to currently used tools, tool chain roadmap, efficiency and effectiveness of current processes, etc.
Promote secure coding standard and all related processes
Promote the priorities set forth by Global Information Security function, and the roadmap set forth by the Global Application Security
Automate and integrate security scan and analysis tools into the DevSecOps pipeline
What you need to have:
5 years+ DevSecOps and Secure-SDLC work experience
CISSP, CSSLP, cloud security, DevSecOps automation, or similar is required
Post-secondary education or equivalent experience as a DevSecOps Engineer
Develop/enhance and implement the Secure-SDLC framework
Design, implement, and rollout DevSecOps automations and tool chain
Implement sensors to collect data on key metrics for statistics and reporting
Serve as the subject matter expert in Secure-SDLC and DevSecOps
Advise on the processes and standards that are designed to implement a company’s Application Development Security Policy
Experience in designing Secure-SDLC processes and relevant tooling to support the processes
Experience in software/application analysis tools like SAST, DAST, SCA, threat modeling, supply-chain etc.
Technical hands-on experience in automating and integrating security scan and analysis tools into the DevSecOps pipeline.
Experience in one or more programming languages
Familiarity with security frameworks (OWASP Top 10, SANS Top 25, CWE)
What makes you stand out:
Identify application security requirements and brainstorm solutions factoring in industry best practices
Assess the tooling and remediation of threats and vulnerabilities within our software/applications, and the hosting environment
Why join our team:
We help you be your best through professional development opportunities, interesting work, and supportive leaders.
We foster a vibrant and inclusive culture where you can work with talented colleagues to create new solutions and have impact for colleagues, clients, and communities.
Our scale enables us to provide a range of career opportunities, as well as benefits and rewards to enhance your well-being.
Job Profile
At least three days a week in the office Hybrid role Hybrid work
Benefits/PerksCareer opportunities Development opportunities Disability Dynamic team environment Employee Assistance Programs Flexibility Flexible work Flexible work environment Hands-on experience Health and welfare Health and welfare benefits Hybrid work Hybrid work model Inclusive culture Interesting work Medical Performance-based incentives Professional development Professional development opportunities Retirement programs Supportive leaders Training Tuition Assistance
Tasks- Advise on application security best practices
- Assess security tools and processes
- Collaboration
- Draft documentation for secure-sdlc and devsecops
- Integrate secure-sdlc requirements into devsecops processes
- Lead secure software development lifecycle initiatives
- Research
- Research new trends in application security
- Select and standardize application security tools
- Training
Advising Agile Agile Development Analysis Application Development Application Security Automation Best Practices CI/CD Cloud Architectures Cloud Security Coding Collaboration Container Workloads CWE DAST Design DevSecOps Information security Law Leadership OWASP Power Programming Programming languages Reporting Research Retirement programs SAST SCA SDLC Secure SDLC Security Security Tools Software Development Software development life cycle Statistics Strategy Supply chain Teams Threat modeling Training
Experience5 years
EducationEquivalent Equivalent experience Post-secondary Software Development Statistics
CertificationsARe CISSP Cloud Security CSSLP
TimezonesAmerica/Edmonton America/Moncton America/Regina America/St_Johns America/Toronto America/Vancouver UTC-3 UTC-4 UTC-5 UTC-6 UTC-7 UTC-8