Secure Development Analyst (AppSec / DevSecOps)

Description

Summary: We are seeking a Secure Development Analyst to operate and enhance DevSecOps capabilities, strengthening CI/CD delivery by embedding automated security controls and actionable guidance for engineering teams. Highlights: 1. Operate and enhance DevSecOps capabilities 2. Strengthen CI/CD delivery with automated security controls 3. Collaborate with development and architecture teams on secure coding We are looking for a **Secure Development Analyst** to operate and enhance our DevSecOps capabilities, strengthening CI/CD delivery by embedding automated security controls and actionable guidance for engineering teams. You will help keep our Jenkins \+ Podman ecosystem running smoothly while partnering with developers to reduce risk. **Responsibilities** * Operate DevSecOps infrastructure supporting Veracode scans across the Jenkins \+ Podman stack * Maintain and improve CI/CD pipelines by adding automated controls for SAST, SCA, DAST, secret scanning, and container image analysis * Design security gates that reduce risk while preserving developer velocity * Integrate and maintain tooling connections across Bitbucket, SonarQube, and JFrog Artifactory * Triage security findings, prioritize remediation work, and support teams through resolution * Perform early interventions in agile delivery by conducting design reviews and story reviews against defined standards * Collaborate with development and architecture teams to promote secure coding practices and consistent implementation of security requirements **Requirements** * 2\+ years of experience in AppSec, DevSecOps, DevOps, or development roles with a security focus * Hands\-on experience with Jenkins, including declarative pipelines, shared libraries, and agent management * Hands\-on experience with Podman for containerized build and scan workflows * Project experience operating and evolving DevSecOps infrastructure supporting SAST/SCA/DAST workflows * Strong knowledge of secure development frameworks and standards: NIST SSDF (SP 800\-218\), OWASP ASVS, OWASP SAMM, OWASP Top 10 (Web/API/LLM/Mobile), SEI CERT, MITRE ATT\&CK, and CWE Top 25 * Solid understanding of security testing approaches and tools (SAST, SCA, DAST, IAST, and secret scanning) * Working knowledge of container ecosystems and orchestration (Docker, Kubernetes/OpenShift) and image scanning concepts * Proficiency with CI/CD and repository integrations such as Bitbucket/Git, SonarQube, and JFrog Artifactory * Familiarity with cloud platforms (AWS, Azure, or GCP) and CIS Benchmarks * Skills in development languages and stacks, with the ability to read and analyze source code (Java, Node.js, JavaScript/TypeScript, Python, Go, .NET) * Knowledge of auth and federation (OIDC, OAuth 2\.0, SAML, JWT, mTLS) and IDPs such as Keycloak * Background in secure transport protocols (SSL/TLS), PKI, and secret management (Vault, secrets managers) * Threat modeling experience with STRIDE, PASTA, or attack trees * Knowledge of best practices to prevent attacks (OWASP) and knowledge of common vectors in web applications and APIs * Good communication skills to explain findings clearly and propose pragmatic fixes * English proficiency at a B1\+ level **Nice to have** * Computer science student or graduate (or related field) * Experience with Veracode, Checkmarx, Snyk, Semgrep, or GitLeaks **We offer** * International projects with top brands * Work with global teams of highly skilled, diverse peers * Healthcare benefits * Employee financial programs * Paid time off and sick leave * Upskilling, reskilling and certification courses * Unlimited access to the LinkedIn Learning library and 22,000\+ courses * Global career opportunities * Volunteer and community involvement opportunities * EPAM Employee Groups * Award\-winning culture recognized by Glassdoor, Newsweek and LinkedIn