DevSecOps Architect: Secure CI/CD & AppSec

The DevSecOps Engineer – CI/CD & Application Security focuses on embedding application security and cloud security controls directly into CI/CD pipelines and developer workflows. This role drives shift‑left security by designing, implementing, and operating automated security guardrails across source code, build, and deployment pipelines in cloud-native environments.

Key Responsibilities

• Design, implement, and operate application security controls integrated into CI/CD pipelines, ensuring secure software delivery by default.
• Embed automated AppSec checks across code, dependencies, builds, and deployment workflows aligned with shift‑left principles.
• Define and maintain secure CI/CD reference architectures and patterns for enterprise cloud-native applications.
• Partner with engineering teams to integrate security seamlessly into developer workflows, minimizing friction and manual intervention.
• Develop reusable pipeline templates, policy controls, and automation to scale AppSec and DevSecOps practices across teams.
• Secure pipeline infrastructure and credentials, protecting against build manipulation, secret leakage, and provenance risks.
• Integrate CI/CD security findings with broader application and cloud security monitoring workflows.
• Investigate and respond to application and pipeline‑related security findings, partnering with Security Operations as required.
• Contribute to cloud security posture by aligning pipeline and application controls with cloud security best practices.
• Embed security controls for AI/ML and GenAI workloads within CI/CD pipelines and developer workflows.
• Define and enforce secure usage patterns for LLMs and AI services, including prompt handling, data protection, and model access controls.
• Implement safeguards against AI‑specific threats, including prompt injection, model poisoning, data leakage, and insecure model outputs.
• Integrate AI security scanning and validation into build pipelines, ensuring safe model usage and dependency integrity.
• Collaborate with engineering teams to establish secure‑by‑design AI application architectures.
• Ensure compliance with enterprise Responsible AI policies (data privacy, bias management, model governance).
• Secure AI‑related secrets, tokens, and API access used in pipelines and applications.
• Monitor and respond to security risks introduced by AI/ML components, including third‑party models and APIs.
• Contribute to AI risk governance, auditability, and traceability across the SDLC.
• Stay current on emerging AI security threats, vulnerabilities, and regulatory expectations.
• Author documentation, standards, and training to drive developer adoption of secure CI/CD and AppSec practices.
• Continuously evaluate emerging application security and software supply chain threats and improve controls accordingly.

Required Qualifications

• Bachelor’s degree in Computer Science, Cybersecurity, Engineering, or equivalent experience.
• 3–6 years of experience in DevSecOps, Application Security, or Platform Security roles.
• Strong hands‑on experience securing CI/CD pipelines using GitHub, Jenkins, and Azure DevOps.
• Solid understanding of application security concepts (secure coding, dependency risk, pipeline hardening, secrets management).
• Foundational understanding of AI/ML and Generative AI concepts, including LLMs and model lifecycle.
• Knowledge of AI/ML security risks such as prompt injection, data poisoning, model evasion, and data leakage.
• Experience integrating AI or ML components into applications or pipelines (preferred hands‑on exposure).
• Familiarity with Responsible AI principles and AI governance frameworks.
• Experience implementing shift‑left AppSec controls in modern SDLCs.
• Experience working in cloud environments (Azure, AWS, or GCP).
• Proficiency with scripting or programming languages (Python, Go, Java, etc.).
• Familiarity with containerized build and deployment models.
• Strong understanding of software supply chain security risks.

Preferred Qualifications

• Experience with policy‑as‑code and automated security governance.
• Knowledge of Kubernetes, container security, and cloud‑native application architectures.
• Experience integrating AppSec signals into enterprise security platforms.