全职 Senior DevSecOps I Threat - Vulnerability Management, IT Security 工作, 薪水, Maybank Federal Territory 公司招聘中 - Ricebowl

Background

• The Senior DevSecOps is responsible for integrating security practices into the DevOps lifecycle, ensuring that software delivery pipelines are secure, efficient, and scalable.
• This role bridges development, operations, and security, driving automation and compliance across cloud and on-prem environments.

Key Responsibilities

• Design and continuously evolve the cloud security testing methodology and tooling.
• Develop and execute advanced threat modeling exercises for cloud infrastructure and applications.
• Guide and mentor junior cloud testers, including peer reviews, knowledge sharing, and technical training.
• Design, build and maintain secure CI/CD pipelines with automated security testing (SAST, DAST, IAST).
• Perform detailed exploitation of misconfigurations, vulnerable APIs, permissions escalation paths, and data exposure risks.
• Build custom tools, scripts, and proof-of-concepts to demonstrate impact of discovered vulnerabilities.
• Collaborate with internal pentesting team to simulate real-world attack scenarios to identify weaknesses in cloud architecture, configurations, IAM, networking, containers, and serverless environments.
• Collaborate and partner with Cloud Teams, Cloud Security Architects, DevSecOps and VA & Remediation teams to advise on remediation, and best practices to secure deployments of AWS, Azure, GCP etc.
• Integrate and manage TVM security tools in the Cloud and/or DevSecOps environments.
• Collaborate with VA & Remediation teams to produce relevant evidence during audit exercise.
• Stay ahead of emerging threats, cloud-native exploitation techniques, and regulatory frameworks affecting cloud security.

Key Requirements

• Bachelor Degree in Business, Computer Science, Information Security, Cybersecurity, or related technical field, or equivalent.
• Minimum 3–5 years of hands‑on experience in DevSecOps or security engineering roles.
• Familiarity with security scanning tools (Snyk, SonarQube, OWASP ZAP, Trivy).
• Experience in regulated environments (e.g., banking, finance, or telecommunications) is highly advantageous.
• Hands‑on experience with threat modeling, vulnerability management, and penetration testing.
• Experience implementing secure coding practices and automated security testing.
• Cloud security certifications such as AWS Certified Security Specialty, Microsoft Azure Security Engineer Associate, or Google Professional Cloud Security Engineer, Certified DevSecOps Professional (CDP), Certified Kubernetes Security Specialist (CKS), GIAC Cloud Security Automation (GCSA).
• In-depth knowledge of public cloud environments: AWS, Azure, and GCP.
• Strong understanding of IAM, cloud networking, compute, serverless, containers (Kubernetes), storage, and logging.
• Skilled in offensive security tools such as Pacu, ScoutSuite, Prowler, Burp Suite, Nmap, custom scripting (Python, Bash, PowerShell).
• Familiar with IaC and CI/CD tooling: Terraform, CloudFormation, Jenkins, GitLab CI, etc.
• Strong understanding of MITRE ATT&CK for Cloud, adversary simulation, and attacker TTPs.