Senior DevSecOps Engineer, DevSecOps

Meet Our Team:

Pega is transforming software development by offering innovative solutions to major global organizations and renowned brands. We enable rapid transformation from problems to effective solutions, meeting the high expectations of businesses worldwide that depend on Pega for enhanced business and customer experience

We're looking for a seasoned Application Security Engineer with 4-7 years of experience, skilled in integrating security throughout the development lifecycle. At Pega Systems, you'll play a key role in advancing our security practices by designing robust frameworks, automating security practices, and fostering a security-first culture.

If you're eager to contribute to cutting-edge projects and enhance our security posture, join us in a forward-thinking organization that values continuous improvement and professional growth.

Picture Yourself at Pega:

As a Senior DevSecOps Engineer, you will embed security across the software development lifecycle, designing and operating SAST, DAST, OSS, PEN Test and SCA controls; integrating them into CI/CD; and driving vulnerability management from discovery through remediation. You’ll partner with product teams, Security Champions, and release engineering to ensure high-severity issues are treated as release-blocking and resolved within agreed SLAs.

What You'll Do at Pega:

Integrate security practices into the DevOps pipeline, embedding security throughout development and deployment.

• Understand Pega products and incorporate security best practices at every level.
• Design and implement automated security testing tools and processes within CI/CD pipelines to enhance efficiency and coverage.
• Conduct risk assessments and threat modeling to identify vulnerabilities and propose balanced mitigation strategies.
• Collaborate with incident response teams to quickly identify, contain, and remediate security incidents, and conduct post-incident analyses.
• Work closely with cross-functional teams to promote a security-first mindset across the organization.
• Have a good understanding of tools like Veracode, JFrog Xray, Trivy, Revenera
• Good expertise in understanding of security testing methodologies, such as SAST, DAST, and penetration testing, OSS – along with good proficiency with tools like OWASP ZAP, Burp Suite, or Fortify is highly recommended.
• Stay current with emerging security trends and technologies to drive continuous improvement in the organization’s security posture.
• Mentor junior team members and guide them in solving issues.

Who You Are:

You are a seasoned Application Security professional with expertise in integrating security throughout the DevOps lifecycle and automating testing frameworks. Proficient in any of the programming languages like Python, Java, or Go, and tools such as Jenkins, Docker, and Kubernetes, you excel in technical problem-solving and collaboration with cross-functional teams. A continuous learner, you stay updated on security trends and thrive in dynamic environments, always enhancing security practices. As a proactive and adaptable team player, you embrace feedback, engage in retrospection, and are driven by measurable results and self-improvement.

What You've Accomplished:

4-7 years of successfully embedding security into product SLDC, automated testing frameworks, and leading initiatives to enhance the organization's security posture, demonstrating expertise in risk assessment, vulnerability management, and cross-functional collaboration. An individual who is slightly paranoid (in a good way), a self-starter, ambitious, customer-focused, a team player, and has a can-do attitude.

• Development Background:
  • 2 or more years of full-stack application development in Java, Python, JavaScript (Node.js), and .NET.
• CI/CD Tools:  Experience in using Jenkins, GitHub Actions, GitLab CI/CD, Travis CI, CircleCI), etc., for integrating security into automated pipelines, ensuring security is central to development and deployment.
• Security Testing Tools: Expertise in:
  • SAST & SCA tools such as Veracode, Checkmarx, Snyk, JFrog, Xray, Trivy etc.
  • DAST tools such as Invicti/Netsparker, Qualys, and OWASP ZAP.
  • Penetration testing tools such as PortSwigger Burp Suite.
• Vulnerability Management:
  • Tooling, such as Defect Dojo, ServiceNow, etc.
  • End-to-end lifecycle: intake, deduplication, validation, prioritization, assignment, and tracking to closure; codify SLAs for critical/high severity and drive cross-team accountability.
• Automation and Programming: Developed automated security testing frameworks, reducing deployment time and enhancing security. Skilled in languages like Python, Java, or Go, and scripting with Bash or PowerShell.
• Additional Skills: Knowledge of Agile/Scrum methodologies and Security certifications like CWEB, CSSLP, CISSP, CISM, CEH, or OSCP are beneficial.

#LI-MC3

Pega Offers You:

• Friendly, informal and multicultural atmosphere with more than 19 different nationalities
• Flexible working hours
• The world’s most innovative organizations as reference-able clients
• A lot of interesting and challenging work
• Hackathons and social events