DevSecOps Engineer

Position Summary:

The DevSecOps Engineer is a member of the organization's operational, compliance, and application security programs to safeguard internal company data and client data. The DevSecOps Engineer role will review and assess the security of applications and infrastructure to enhance MeridianLink's overall security. This role will work cross-functionally with development, engineering, and product teams to solve real problems in ways that meet our security requirements. This is a highly technical, hands-on role; the individual will be responsible for assessing and securing MeridianLink’s systems and applications at multiple layers of the technology stack. The DevSecOps Engineer will think like an adversary and identify how applications and systems must evolve as the threat landscape changes. Security and trust are the foundation of MeridianLink’s commitment to our customers. This individual will support and drive a security-by-design architecture.

Expected Duties:

• The DevSecOps Engineer will assist with user issues while working with SR. DevSecOps Engineers or other security personnel as needed.

• Participate in and support application security reviews and threat modeling, including code review and static/dynamic testing.

• Responsible for understanding and interpreting both business and technical requirements for creating secure applications and infrastructure.

• Responsible for the design and implementation of application security solutions that enforce security consistently across all applications and products

• Conduct infrastructure assessments of cloud, network, and data services that support MeridianLink’s products.

• Design, develop, test, document, deploy, monitor, and support existing and new AppSec and SecOps tooling.

• Automate security testing and vulnerability management procedures where reasonable.

• Promote a proactive approach to addressing the changing threat landscape by recommending and implementing architectural improvements to security infrastructure.

• Collaborate with developers on secure code development best practices and strategies while implementing them into the SDLC.

• Collaborate cross-functionally to architect, develop, implement, and support automated static/dynamic testing within MeridianLink’s CI/CD pipelines.

• Act as the security team’s primary liaison to the development/software engineering teams and partner with them to remediate any identified risks, threats, or vulnerabilities.

• Perform automated and manual vulnerability assessments as needed and/or on a regular cadence, leveraging a wide variety of industry-standard tools, to identify and validate vulnerabilities in MeridianLink’s applications, cloud infrastructure, and endpoints.

• Assess new/proposed applications and provide guidance and subject matter expertise regarding any insecure architecture/design principles.

• Support and provide guidance in regulatory and compliance efforts/requirements as necessary

• Act as a subject matter expert for secure coding practices, penetration testing, and all aspects of application and product security

• Participate in the internal CSIRT on-call rotation and incident response as needed.

Qualifications: Knowledge, Skills, and Abilities

The DevSecOps Engineer position will perform simple to moderately difficult, yet impactful aspects of the role independently, and the position will support peers and management on difficult to complex aspects of the role. The individual will develop professional expertise in the subject area and will apply MeridianLink’s policies and procedures to resolve a variety of issues.

• Bachelor’s degree and 2-4 years of related experience or equivalent work experience

• 1+ years of hands-on experience in implementing/maintaining CI/CD, security, and data pipelines

• Hands-on experience in designing, securing, and delivering cloud applications and solutions within AWS, Azure, and GCP cloud platforms

• Must have a solid understanding of DevSecOps pipelines and CI/CD integration, proven expertise in securing cloud infrastructure environments

• Experience with threat modeling and deep understanding of application security vulnerabilities (SANS, OWASP Top 10)

• Experience performing threat modeling and design reviews to assess security implications and requirements for new technologies

• Someone who has worked in a DevSecOps environment preferred, with a thorough understanding of SDLC methodologies and experience securing APIs and web services

• Experience with industry standard application and information security testing tools such as Kali Linux, Metasploit, Burp Suite, and WebInspect

• Experience and understanding of infrastructure as code, automation, container security architecture, and orchestration tools

• Experience in languages such as Python, C#, Java, PowerShell, and an understanding of modern web technologies and relationships between them

• Experience performing static and dynamic code analysis (SAST/DSAT)

• Expertise with strong knowledge of CI/CD pipelines covering source control, integration, and deployment

• Experience securing cloud deployment and containers

• Strong analytical/problem-solving skills and cross-functional knowledge across multiple development and security disciplines

• Ability to communicate security-related concepts to a broad range of technical and non-technical staff