Job Purpose: 
The Senior DevSecOps Engineer is an individual contributor responsible for designing, implementing, and operating security controls across the software development lifecycle (SDLC). This role partners closely with Engineering teams, IT Operations, and the Manager of Cyber Security to embed security directly into development workflows, CI/CD pipelines, and cloud platforms. The core function of this role is active, hands-on partnership with Engineering teams to build secure-by-default patterns, improve secure design and delivery practices, and implement security controls within existing development and operational workflows. While the role maintains awareness of governance and compliance requirements, the primary focus is practical engineering execution that results in scalable, auditable, and repeatable security outcomes.

Essential Duties and Responsibilities:

Secure SDLC Implementation & Governance Awareness

• Design, implement, and maintain security controls across all SDLC phases
• Translate security policy, OWASP guidance, and SOC-aligned requirements into engineering standards and pipeline controls
• Embed security checks and guardrails into Agile and DevOps workflows (Jira Software, Azure DevOps)
• Ensure SDLC controls generate reliable, repeatable audit evidence supporting SOX and SOC 1 / SOC 2 assessments

Architecture & Design Security

• Perform application risk profiling and threat modeling for new and materially changed systems
• Review application, API, and platform architectures from a security and risk perspective, providing guidance on required security controls and integration patterns
• Design and implement security architecture components, guardrails, and shared controls supporting:
  • Azure PaaS resources and identity integrations (Entra ID, Azure B2C/External ID)
  • Web applications hosted on IIS and Node.js
  • APIs and externally exposed services
  • Data platforms including Microsoft SQL, Oracle SQL, CosmosDB, Databricks, and Microsoft Fabric
• Partner with architects and engineers to ensure alignment with approved security patterns and baselines, without owning application code or business logic

CI/CD, Pipeline & Tooling Security

• Secure CI/CD pipelines and Git-based workflows
• Implement application security tooling integrations and tune results for actionable signal
• Integrate SAST, DAST, SCA, image scanning, and secrets detection into pipelines
• Implement secure secret management, pipeline access controls, and deployment protections
• Configure and maintain security controls for Web Application Firewalls (WAF), API gateways, and ingress layers

Verification, Testing & Defect Management

• Define security testing requirements and acceptance criteria aligned to SDLC controls
• Implement and maintain automated security testing workflows
• Validate remediation of application and pipeline security findings
• Maintain traceability between findings, fixes, Jira tickets, and generated audit evidence

Operations, Incident Support & Continuous Improvement

• Participate in incident response activities related to application, pipeline, and identity security
• Support root-cause analysis and implement preventative improvements through enhanced observability and security telemetry
• Validate backup, restore, and disaster recovery controls with a security and access-control focus
• Define and track security metrics supporting continuous improvement and SOC evidence requirements

Qualifications:

• Bachelor’s degree in Computer Science, Information Security, Information Systems or a related field
• Minimum 5 years of experience in DevSecOps, application security, or secure platform engineering
• Demonstrated experience implementing and operating security controls across CI/CD, cloud, and SDLC environments
• Strong foundational knowledge across DevOps and platform engineering, including:
  • Core networking concepts (VPC/VNet, DNS, TCP/IP, TLS, load balancing, proxies, firewall/NSG)
  • Windows and Linux systems (processes, permissions, filesystems, networking, troubleshooting)
  • Git-based workflows (branching strategies, pull requests, releases)
  • Scripting and automation (PowerShell, Bash, and/or Python)
• Strong hands-on experience implementing DevSecOps security controls, including:
  • Secure SDLC practices and OWASP guidance (from a control, tooling, and risk perspective)
  • Azure cloud security and identity services (Entra ID, Azure B2C/External ID)
  • CI/CD pipelines, Git-based workflows, and build/deploy automation
  • Containers and orchestration fundamentals (Docker, Kubernetes) and Infrastructure as Code (Terraform, Ansible)
  • Vulnerability management tooling (SAST, DAST, SCA, image scanning)

Preferred Qualifications – Security Certifications

• Microsoft security certifications aligned to Azure, identity, and cloud architecture (e.g., SC-100, AZ-500, SC-300)
  • Industry-recognized security certifications such as CSSLP, CISSP, CISM, or relevant GIAC credentials

Education and/or Experience Required:

Language Skills Sets:  

• Ability to read, analyze, and interpret general business periodicals, professional journals, technical procedures, or governmental regulations.  Ability to write reports, business correspondence, and procedure manuals.  Ability to effectively present information and respond to questions from groups of managers, clients, and customers.

Mathematical Skills:          

• Ability to add, subtract, multiply, and divide in all units of measure, using whole numbers, common fractions, and decimals.  Ability to compute rate, ratio, and percent and to draw and interpret bar graphs.   

Reasoning Ability: 

• Ability to solve practical problems and deal with a variety of concrete variables in situations where only limited standardization exists.  Ability to interpret a variety of instructions furnished in written, oral, diagram, or schedule form.  Ability to determine “root cause” of problem and determine corrective action.   

Computer Skills:        

• To perform this job successfully, an individual must have knowledge of Business Operating Systems, Internet software, Word Processing, and Spreadsheet software.  

Physical Demands: 

• Must be able to occasionally lift and/or move up to 10 pounds.
• Must be able to activate phone systems utilizing keyboards and buttons.
• Must be articulate and comfortable speaking in front of others.
• Regularly works in an indoor/office environment and required to sit and/or use repetitive hand motion.
• Frequently required to talk, hear, stand and walk.
• Must be able to work in excess of continuous 8 hours when required.
• Must be able to work under stressful situations, have good cognitive skills, maintain work accuracy, and the ability to concentrate on more than one task at a time.
• Must have the ability to read and discern visual images on a variety of media with 20/20 corrected vision.
• Must be able to speak and communicate clearly over telephones.
• Must be in sound physical health as determined by a certified licensed physician with no evidence of the use of controlled substances.

Employer Rights:

This job description is intended to provide general information about the Senior DevSecOps Engineer position. The above does not constitute an exhaustive list of the job duties to be performed by an associate holding the position of Senior DevSecOps Engineer, nor are the lists of the physical requirements and environmental conditions exhaustive. You may be asked by your supervisor or managers to perform other duties. Your performance will be evaluated in part based upon your performance of the job duties listed in this job description, as well as any job duties not specifically listed above that you may be asked from time to time to perform. As with all positions, the duties and responsibilities are subject to change at any time as needs arise and at the discretion of the RJW Transport, Inc.  The Company has the right to revise this job description at any time.

Employment-At-Will:

It is the Company’s policy that all associates, other than those covered by a written individual employment or labor agreement with the Company that has been authorized in writing by the Company’s Chief Executive Officer or Board of Directors, are not employed for any fixed term and are employed at the will of the Company for an indefinite period.  Just as our associate’s, reserve the right to resign their employment at any time for any reason the Company reserves its right  to terminate an associate any time for any reason either with or without cause.  

Neither this Job Description nor any of its individual terms constitutes commitments between the Company and its associates as to the terms, conditions or duration of employment, nor does it modify the prevailing Employment-At-Will relationship.