We are looking for a Secure Development Analyst to operate and enhance our DevSecOps capabilities, strengthening CI/CD delivery by embedding automated security controls and actionable guidance for engineering teams. You will help keep our Jenkins + Podman ecosystem running smoothly while partnering with developers to reduce risk.
Responsibilities
-
Operate DevSecOps infrastructure supporting Veracode scans across the Jenkins + Podman stack
-
Maintain and improve CI/CD pipelines by adding automated controls for SAST, SCA, DAST, secret scanning, and container image analysis
-
Design security gates that reduce risk while preserving developer velocity
-
Integrate and maintain tooling connections across Bitbucket, SonarQube, and JFrog Artifactory
-
Triage security findings, prioritize remediation work, and support teams through resolution
-
Perform early interventions in agile delivery by conducting design reviews and story reviews against defined standards
-
Collaborate with development and architecture teams to promote secure coding practices and consistent implementation of security requirements
Requirements
-
2+ years of experience in AppSec, DevSecOps, DevOps, or development roles with a security focus
-
Hands-on experience with Jenkins, including declarative pipelines, shared libraries, and agent management
-
Hands-on experience with Podman for containerized build and scan workflows
-
Project experience operating and evolving DevSecOps infrastructure supporting SAST/SCA/DAST workflows
-
Strong knowledge of secure development frameworks and standards: NIST SSDF (SP 800-218), OWASP ASVS, OWASP SAMM, OWASP Top 10 (Web/API/LLM/Mobile), SEI CERT, MITRE ATT&CK, and CWE Top 25
-
Solid understanding of security testing approaches and tools (SAST, SCA, DAST, IAST, and secret scanning)
-
Working knowledge of container ecosystems and orchestration (Docker, Kubernetes/OpenShift) and image scanning concepts
-
Proficiency with CI/CD and repository integrations such as Bitbucket/Git, SonarQube, and JFrog Artifactory
-
Familiarity with cloud platforms (AWS, Azure, or GCP) and CIS Benchmarks
-
Skills in development languages and stacks, with the ability to read and analyze source code (Java, Node.js, JavaScript/TypeScript, Python, Go, .NET)
-
Knowledge of auth and federation (OIDC, OAuth 2.0, SAML, JWT, mTLS) and IDPs such as Keycloak
-
Background in secure transport protocols (SSL/TLS), PKI, and secret management (Vault, secrets managers)
-
Threat modeling experience with STRIDE, PASTA, or attack trees
-
Knowledge of best practices to prevent attacks (OWASP) and knowledge of common vectors in web applications and APIs
-
Good communication skills to explain findings clearly and propose pragmatic fixes
-
English proficiency at a B1+ level
Nice to have
-
Computer science student or graduate (or related field)
-
Experience with Veracode, Checkmarx, Snyk, Semgrep, or GitLeaks
We offer
-
International projects with top brands
-
Work with global teams of highly skilled, diverse peers
-
Healthcare benefits
-
Employee financial programs
-
Paid time off and sick leave
-
Upskilling, reskilling and certification courses
-
Unlimited access to the LinkedIn Learning library and 22,000+ courses
-
Global career opportunities
-
Volunteer and community involvement opportunities
-
EPAM Employee Groups
-
Award-winning culture recognized by Glassdoor, Newsweek and LinkedIn
