DevOps Security Lead

Main tasks/activities:

* Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes, Kafka, Zookeeper, NoSQL (e.g. Couchbase)
* Secure the CI/CD process for IaC and Microservice (Spring Boot, Python) deployments
* Design and own the (policies for) our docker registry
* Implement and maintain in the pipelines the company wide scanning tools such as Aqua, NexusIQ, Qualys etc
* Implement and ensure Encryption at rest and in transit
* Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
* Design, implement and maintain secrets management
* Design and implement a security aspect for configuration management
* Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
* Align with Automation lead on quality controls and continuous testing best practices especially including blue/green and canary
* Design and maintain the availability and stability of all long-living state (e.g. the event store)
* Secure the state against unauth access: design and implement lifecycle (non-prod vs prod) for data (incoming as Kafka messages using the event carried state transfer paradigm)
* Consult with Automation lead on network layouts and negotiate with other network teams on integration/segregation topics
* Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style (e.g. Chaos Monkey, auto-pen-test)
* Implement continuous improvements on governance aspects (e.g. Azure Policies)
* Efficiently leverage Azure services for addressing security concerns (i.e. WAF)
* Own the integration with Azure Active Directory and IAM
* Continuously work with the teams to improve all components as the use-cases grow more complex
* Own validity and applicability of libraries and licenses of all vendors (e.g. for Hashicorp Vault)
* Design observability (especially logging) concept and implement reactions to incidents
* Design High Availability and Disaster Recovery Strategies (incl multi zone deployments and consistency) in the context of event-sourcing with special focus on securing and protecting the event-store and guaranteeing replayability
* Design and maintain a holistic security concept for VMs, stateful apps, stateless apps, running on K8S or running as container instances
* Design and maintain holistically Monitoring and telemetry
* Design and take ownership of the security incident process
* Train other engineers
* Ensure compliance with the company wide digital governance framework, audit
* Documentation of all of the above (readme, wiki and JIRA)

Must have skills :

* Public Cloud relevant experience with practical implementation of the security standards: OWASP 10, ISO/IEC 27002, ISO/IEC 17788
* Expert Knowledge in zero trust networking and service meshes
* Expert Knowledge of AuthN concepts and techniques, e.g. RBAC, ABAC
* Expert Knowledge of AuthZ techniques and tools
* Strong and proven Automation experience with CI/CD in the public cloud using industry standards such as maven, gradle
* Expert Knowledge of git
* Knowledge of Kubernetes deployments (e.g. sidecar), container isolation, multi-tenancy and software defined networking
* Knowledge of static code scanning best practices
* Expert knowledge of Continuous Monitoring and usage of Telemetry
* Test driven development: understands semantics of unit tests and end to end integration tests and the imperative for continuous testing
* Worked with CI/CD for integration, migration and deployment: Experience in automated build, test & deploy with an explicit focus on state-management and state-handling
* Strong understanding of networks: especially how Layer 7 design needs to align with Layers 3-6 in the public cloud, Expert Knowledge of multi-cloud firewall design
* Excellent communication in English, written and spoken
* Delegation and (self-)management skills for working in a flat and distributed team
* Encryption tools and techniques
* Strong Experience with "Infrastructure as Code"
* Linux OS (alpine, Ubuntu, SLES) and Unix
* Knowledge of event-driven architecture and micro-services

Frameworks / Tools:

* Azure DevOps, Ansible, yaml-pipelines, Helm, build agents, scripting (bash, python)
* Container-based (Docker / Kubernetes) orchestration
* High availability of statefulness using cloud-native techniques
* Can read code written in industry standard polyglot (Java/ Spring/ Python/ JS)
* DB-queries (also NoSQL) e.g. Couchbase, SAP HANA, Postgres
* Cloud managed services (e.g. Blob Storage, databases, Insights, Security Center)
* Build and deployment tools such as Git, Gradle, Maven
* API Gateways, HTTPS, REST/ODATA/GraphQL/etc API-specs
* State-management e.g. Zookeeper, Schema Registry, Event Store
* Aqua, Qualys, DataDog, Grafana, Prometheus, Zeebe, Vault