Senior DevSecOps Engineer

We're HCSS. We're a software company based in Sugar Land, TX and we provide innovative solutions for the construction industry that help streamline their operations. Our mission at HCSS is helping customers achieve excellence through our proven, customer-centric, end-to-end solutions and exceptionally helpful service while providing a great life for our employees. With this mission at the forefront of everything we do, we're recognized as a pioneer and leader in our market and nominated the "Best Companies to Work for in Texas" 16 years in a row.
As a Senior DevOps Engineer specializing in application security and DevSecOps, you will play a pivotal role in enhancing the security of our software development processes. You will work closely with engineering, security, and operations teams to implement and maintain security best practices, tools, and infrastructure, ensuring our cloud-based applications remain secure and resilient.
Key Responsibilities:

1. DevSecOps Integration: Embed security into the entire software development lifecycle (SDLC) by implementing security practices, tools, and automation to support continuous integration/continuous delivery (CI/CD) pipelines.
2. Application Security Expertise: Lead efforts in identifying, prioritizing, and mitigating security risks and vulnerabilities in both new and existing applications. Provide subject-matter expertise on application security best practices, secure coding, and threat modeling.
3. Azure Cloud Security: Utilize Azure Cloud services to ensure secure infrastructure deployment and configuration. Implement best practices for securing Azure environments, leveraging services like Azure Key Vault, Azure Security Center, and more.
4. Static and Dynamic Application Security Testing: Lead efforts around Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to identify and remediate vulnerabilities in both the codebase and runtime environments.
5. Secrets Management: Implement, manage, and continuously improve secrets management solutions (e.g. Azure Key Vault) to protect sensitive information across multiple environments.
6. Software Composition Analysis (SCA): Oversee software composition analysis to identify and manage vulnerabilities in third-party libraries and dependencies, ensuring compliance with security policies.
7. Automation and Infrastructure as Code: Develop and maintain infrastructure as code (IaC) practices using tools like Terraform to automate the provisioning and management of secure cloud environments.
8. Security Policies & Compliance: Ensure compliance with industry security standards (e.g., OWASP, NIST, CIS) and regulatory requirements. Create and enforce security policies related to application security and cloud infrastructure.
9. Collaboration & Mentorship: Collaborate with cross-functional teams to ensure security is prioritized across development, operations, and product teams. Mentor junior engineers on DevSecOps best practices and tools.

Required Skills & Experience:

1. Experience: Minimum of 5 years of experience in application security, DevSecOps, or a related field, with a deep focus on secure software development and security testing practices.
2. Cloud Expertise: Strong hands-on experience with securing applications deployed in Azure environments, including using Azure-native security tools such as Azure Key Vault, Azure Security Center, Azure DevOps, and others.
3. Security Tools & Practices: Expertise in security tools such as SAST, DAST, software composition analysis (SCA), and secrets management solutions (e.g., HashiCorp Vault, Azure Key Vault). Experience with integrating these tools into CI/CD pipelines.
4. Programming/Scripting: Proficiency in scripting or programming languages such as Python, Go, Bash, PowerShell, or similar to automate security tasks and improve security workflows.
5. Secure Development Lifecycle: In-depth understanding of the secure development lifecycle (SDLC) and DevSecOps best practices, with experience embedding security into every phase of software development.
6. Vulnerability Management: Experience with vulnerability management practices, including the use of security scanning tools, risk assessment, and remediation.
7. Compliance Knowledge: Familiarity with security compliance frameworks such as OWASP, NIST, CIS, GDPR, or similar, and experience ensuring applications meet relevant security standards and policies.
8. Collaboration & Communication: Excellent communication skills with the ability to articulate security concepts to both technical and non-technical stakeholders. Experience collaborating cross-functionally with development, security, and operations teams.

Preferred Qualifications:

• Security Certifications: Certified in cloud security (e.g., Microsoft Certified: Azure Security Engineer, CISSP, Certified Cloud Security Professional (CCSP), or equivalent).
• Threat Modeling: Experience with threat modeling techniques and frameworks to assess and address potential security risks early in the design process.
• Experience with Microservices & APIs: Strong understanding of microservices architecture and API security practices.

Benefits and Perks:
Part of our mission statement is to provide a great life for our employees. We believe that happy
employees make for a better company, so we take care of them. Here are a few of the perks we
offer:

• Flexibility for you to work in-office or hybrid.
• Medical and Dental Premiums.
• On-site amenities include a covered basketball court, soccer field, 200-meter track, etc.
• 401K with match.
• Tuition reimbursement.
• And more!

*For remote candidates, travel to office may be requested