NBA
Gen AI Security & DevSecOps Engineer
Vaga remota de DevSecOps Engineering com fit claro de localização do candidato.
Publicada14 de jul. de 2026
Países elegíveis1 país aceito
Sinal de senioridadeSenior
Modelo de trabalhoRemoto
Locais aceitos para candidatos
Estados Unidos
Resumo da vaga
Gen AI Security & DevSecOps Engineer
Requisitos e responsabilidades
Conteúdo da vaga extraído em seções para revisão mais rápida.
Major Responsibilities
- Secure CI/CD pipelines at scale across the organization's CI/CD platforms with standardized security templates and automated policy enforcement, embedding static analysis (SAST), software composition analysis (SCA), container, infrastructure as code (IaC), and secrets scanning, with break build enforcement on critical and high severity findings.
- Administer the enterprise SAST and SCA platform (scan engine infrastructure, query tuning, severity calibration, finding triage) and maintain the exploitability knowledge base that distinguishes true positives from false positives to keep security fast and low friction.
- Build automated compliance tooling that detects required scans, validates pipeline configuration, and flags coverage gaps; audit pipeline posture across platforms and drive remediation directly with engineering teams.
- Support secure SDLC practices and security gates (SAST, SCA, container, IaC, DAST), threat modeling, SBOM generation, and dependency verification; coordinate with the DAST and penetration testing functions and act on bug bounty findings.
- Design and build the enterprise security operations platform and the automation that orchestrates DevSecOps workflows (scan state changes, triage, exemptions, intake, notifications), including AI-assisted vulnerability triage with appropriate guardrails, audit trails, and human oversight.
- Define and report security risk metrics, lead security audits and assessments, conduct supply chain and CVE incident response across the estate, and mentor junior team members.
- Lead security reviews of Generative AI applications, agentic workflows, and AI developer tools submitted through the enterprise AI intake process, assessing against OWASP Top 10 for LLM Applications, OWASP Top 10 for Agentic Applications, NIST AI RMF, MITRE ATLAS, and NBA Gen AI security policy and standards.
- Author and maintain NBA Generative AI security policy and standards, including controls for AI data protection, model and prompt security, agentic AI, MCP (Model Context Protocol) integration, and AI developer tooling.
- Evaluate and onboard Gen AI security tooling such as runtime guardrails, AI red teaming, browser and DLP controls, and MCP governance, and design and operate runtime AI security controls integrated into application pipelines and runtime.
- Govern enterprise security over AI developer tooling and the MCP server approval workflow, and partner with the Enterprise Gen AI, Cloud Infrastructure, GRC, Legal, and Privacy functions to align AI security controls with broader AI governance.
- Administer and operate the enterprise cloud security platform across a large multi-cloud estate (cloud posture, container, and IaC scanning); detect, prioritize, and drive remediation of misconfigurations and vulnerabilities against defined SLAs with infrastructure and application teams.
- Own cloud security scanning policy configuration and service account governance (scope, least privilege, credential rotation), lead platform lifecycle work, and perform technical security configuration assessments of cloud platforms.
- Own the Kubernetes security posture across a large cluster footprint, including admission control, RBAC, namespace isolation, network policies, and Pod Security Standards, and execute admission controller enforcement programs that move policies from audit to block in staged, owner-communicated rollouts with exception and rollback processes.
- Design and operate automated credential rotation across cloud identity and key management services (cross-account role assumption, grace periods, owner notifications) and lead the initiative to eliminate static access keys in favor of OAuth 2.0, OIDC, and role-based authentication.
- Manage the secrets lifecycle across cloud and pipeline secret stores with detection, alerting, and automated rotation, and build reporting that surfaces aging and non-compliant secrets.
Required Education & Professional Experience
- Bachelor's degree in a technical discipline (or equivalent work experience).
- Minimum of seven years in IT (a minimum of five years in information security).
- Hands-on experience administering and integrating modern security tooling across the DevSecOps toolset, including SAST, SCA, DAST, container, IaC, and secrets scanning.
- Hands-on experience designing and securing CI/CD pipelines on modern CI/CD platforms.
- Strong programming and scripting ability, with the ability to build integrations, automation, and tooling against platform APIs.
- Solid hands-on implementation of cloud security across at least one major cloud provider, including identity and access management, secrets management, network security, and posture management, guided by frameworks such as CIS Benchmarks, Cloud Security Alliance, and the NIST SP 800-53 and 800-190/800-204 series.
- Working knowledge of Kubernetes and container security, including RBAC, admission control, namespace isolation, network policies, and Pod Security Standards.
- Familiarity with AI and LLM security frameworks (OWASP Top 10 for LLM Applications, OWASP Top 10 for Agentic Applications, NIST AI RMF, MITRE ATLAS) and the controls that mitigate Generative AI risks such as prompt injection, sensitive data disclosure, and excessive agency (preferred).
- Understanding of governance applied to cloud and AI computing in terms of risk, exposure, impact, and policy; experience writing architectural plans, standards, and guidelines for enterprise platforms.
- One or more industry security certifications, such as GIAC (GCSA), a cloud security certification (CCSP, CCSK, or a cloud provider security certification), or an application or offensive certification (CEH, OSCP, or CySA+).
Vagas similares
Mantenha uma lista reserva.
CI/CD 13 países aceitos
Senior Automation QA EngineerSubway EcommerceVer vaga CI/CD 5 países aceitos
Senior/Lead QA Automation EngineerRadarfirstVer vaga Kubernetes 13 países aceitos
Senior Backend Engineer (AdTech)Leap ToolsVer vaga Kubernetes 13 países aceitos
Senior Backend EngineerLeap ToolsVer vaga Stack
Use estas tags para comparar vagas remotas similares.
Elegibilidade de localização
Candidatos devem aplicar apenas quando o país do perfil estiver listado aqui.
Seu perfilPaís não definidoEntre para comparar seu país com esta vaga.
Fluxo de contratação
O WithMira mostra a vaga e depois envia candidatos para a aplicação da empresa.
1Confira fit da vaga, stack e elegibilidade de localização no WithMira.
2Abra a página de aplicação da empresa pelo link rastreado.
3Salve a vaga ou assine oportunidades similares antes de sair.