DevOps Security Lead

Vertragsart:
Vor Ort
Start:
July 2019
Dauer:
6 months
Von:
Darwin Recruitment
Ort:
Zürich
Eingestellt:
15.06.2019
Land:
flag_no Schweiz
Projekt-ID:
1785175


Main tasks/activities:

  • Understand all infrastructure as code (IaC) artefacts in Azure DevOps, with specific focus on Kubernetes, Kafka, Zookeeper, NoSQL (eg Couchbase)
  • Secure the CI/CD process for IaC and Microservice (Spring Boot, Python) deployments
  • Design and own the (policies for) our docker registry
  • Implement and maintain in the pipelines the company wide scanning tools such as Aqua, NexusIQ, Qualys etc
  • Implement and ensure Encryption at rest and in transit
  • Design, implement and ensure best practices of AuthZ, eg via token rotation: both for human and non-human
  • Design, implement and maintain secrets management
  • Design and implement a security aspect for configuration management
  • Work with developers to understand the security context of the apps and their interaction with Apache Kafka, candidate will design & own the implementation of how Kafka will be secured
  • Align with Automation lead on quality controls and continuous testing best practices especially including blue/green and canary
  • Design and maintain the availability and stability of all long-living state (eg the event store)
  • Secure the state against unauth access: design and implement life cycle (non-prod vs prod) for data (incoming as Kafka messages using the event carried state transfer paradigm)
  • Consult with Automation lead on network layouts and negotiate with other network teams on integration/segregation topics
  • Support and give guidance on the test driven development practices and the implementation thereof in the pipelines in a DevSecOps style (eg Chaos Monkey, auto-pen-test)
  • Implement continuous improvements on governance aspects (eg Azure Policies)
  • Efficiently leverage Azure services for addressing security concerns (ie WAF)
  • Own the integration with Azure Active Directory and IAM
  • Continuously work with the teams to improve all components as the use-cases grow more complex
  • Own validity and applicability of libraries and licenses of all vendors (eg for Hashicorp Vault)
  • Design observability (especially logging) concept and implement reactions to incidents
  • Design High Availability and Disaster Recovery Strategies (incl multi zone deployments and consistency) in the context of event-sourcing with special focus on securing and protecting the event-store and guaranteeing replayability
  • Design and maintain a holistic security concept for VMs, stateful apps, stateless apps, running on K8S or running as container instances
  • Design and maintain holistically Monitoring and telemetry
  • Design and take ownership of the security incident process
  • Train other engineers
  • Ensure compliance with the company wide digital governance framework, audit
  • Documentation of all of the above (readme, wiki and JIRA)

Must have skills:

  • Public Cloud relevant experience with practical implementation of the security standards: OWASP 10, ISO/IEC 27002, ISO/IEC 17788
  • Expert Knowledge in zero trust networking and service meshes
  • Expert Knowledge of AuthN concepts and techniques, eg RBAC, ABAC
  • Expert Knowledge of AuthZ techniques and tools
  • Strong and proven Automation experience with CI/CD in the public cloud using industry standards such as maven, gradle
  • Expert Knowledge of git
  • Knowledge of Kubernetes deployments (eg sidecar), container isolation, multi-tenancy and software defined networking
  • Knowledge of static code scanning best practices
  • Expert knowledge of Continuous Monitoring and usage of Telemetry
  • Test driven development: understands semantics of unit tests and end to end integration tests and the imperative for continuous testing
  • Worked with CI/CD for integration, migration and deployment: Experience in automated build, test & deploy with an explicit focus on state-management and state-handling
  • Strong understanding of networks: especially how Layer 7 design needs to align with Layers 3-6 in the public cloud, Expert Knowledge of multi-cloud Firewall design
  • Excellent communication in English, written and spoken
  • Delegation and (self-)management skills for working in a flat and distributed team
  • Encryption tools and techniques
  • Strong Experience with "Infrastructure as Code"
  • Linux OS (alpine, Ubuntu, SLES) and Unix
  • Knowledge of event-driven architecture and micro-services

Frameworks/Tools:

  • Azure DevOps, Ansible, yaml-pipelines, Helm, build agents, Scripting (bash, python)
  • Container-based (Docker/Kubernetes) orchestration
  • High availability of statefulness using cloud-native techniques
  • Can read code written in industry standard polyglot (Java/Spring/Python/JS)
  • DB-queries (also NoSQL) eg Couchbase, SAP HANA, Postgres
  • Cloud managed services (eg Blob Storage, databases, Insights, Security Center)
  • Build and deployment tools such as Git, Gradle, Maven
  • API Gateways, HTTPS, REST/ODATA/GraphQL/etc API-specs
  • State-management eg Zookeeper, Schema Registry, Event Store
  • Aqua, Qualys, DataDog, Grafana, Prometheus, Zeebe, Vault