Information Security Engineer (DevSecOps)

Primary job duties:

• Perform vulnerability scans, review output, provide initial analysis and remediation
• Perform information security incident response and issue resolution as needed
• Protect digital assets from unauthorized access, mitigate risks before a data breach occurs and provide security to ensure critical information is thoroughly protected
• Implement, configure and upgrade security tools and systems
• Evaluate, integrate and configure security tooling
• Collaborate with technical teams, product managers and third parties
• Respond to cyber security alerts from a variety of systems throughout the enterprise.
• Security event handling including InfoSec tickets, investigating log alerts & other security events via supervising tools, event to incident conversion, etc.
• Perform technical risk assessments for software, products & services used anywhere inside Sonatype (OEMs, tools, algorithms, libraries etc.)
• Identify flaws within the organization's infrastructure and make risk-based recommendations.

We are looking for consistent track record within the following areas:

• 3 + years of Software development experience or security related engineering
• 3 + years Development Operations (DevOps) experience
• 3 + years of Incident management/handling and response methods/escalation
• 3+ years Vulnerability management & scanning tools
• Common security frameworks and protection methods
• Technical risk assessment methods
• DevSecOps processes
• Cloud and infrastructure security

Additional skills of interest to us:

• Be conversant in web application security, ex: OWASP top 10
• Be familiar with the principles of security architecture
• Have experience with SAST, DAST, SCA, or related security testing frameworks/tools
• Have experience with threat modeling frameworks and related industry tools
• Have performed security reviews of architecture, source code, infrastructure, and/or SDLC processes
• Have deployed vulnerability scans, either automated or custom.
• Hold any of the following SANS Certifications: GSEC, GCIH, GCLD, GCID, GMON
• Hold any (ISC)² Certifications such as: CISSP, CC, SSCP, CCSP, CAP, CSSLP

Things that we are proud of:

• 2022 Frost & Sullivan Technology Innovation Leader Award: Sonatype earned Frost & Sullivan’s 2022 Global Technology Innovation Leadership Award in Development and Operations (DevOps) Security.
• NVTC 2022 Cyber Company of the Year: Sonatype was named Commercial Cyber Company of the Year and a Capital Cyber Award-winner by the Northern Virginia Technology Council (NVTC)
• 2022 Annual Peer Award: Sonatype’s Nexus Lifecycle won a PeerSpot Silver Peer Award as a leading Enterprise Technology solution in the Software Composition Analysis category.
• 2022 Best in Biz Award: Sonatype CEO Wayne Jackson was recognized as a Silver Winner in the Best in Biz Awards' Executive of the Year category.
• Tech Ascension Awards: Sonatype was named the Best DevOps Security Solution for Nexus Lifecycle and Nexus Firewall (Software Composition Analysis).
• Builtin Best Places to Work: Sonatype was named to the Washington DC 100 Best Places to Work list and Washington DC Best Midsize Places to Work list.
• Company Wellness Week - We shut down company operations for a week to enable all employees to spend time pursuing personal growth and enjoying much-needed and deserved rest.
• Diversity & Inclusion Working Groups
• Parental Leave Policy
• Paid Volunteer Time Off (VTO)