DevSecOps Engineer

Department
 

BSD CTD - DevSecOps

About the Department
 

The Center for Translational Data Science (CTDS) at the University of Chicago is a research center whose mission is to develop the discipline of translational data science to impactful problems in biology, medicine, healthcare, and the environment. We envision a world in which researchers have ready access to the data needed and the tools required to make data driven discoveries that increase our scientific knowledge and improve the quality of life. We architect ecosystems of large-scale commons of research data, computing resources, applications, tools, and services for the broader research community to use data at scale to pursue scientific inquiry and accelerate discovery. Learn more at https://gdc.cancer.gov/, https://gen3.org/, https://stats.gen3.org/, and https://ctds.uchicago.edu/.

Job Summary
 

As a DevSecOps Engineer on our team, you'll use your development experience to streamline our secure software development life cycle, security automation and orchestration, and incident response from requirements to monitoring in production You'll incorporate open-source tools, automation, and Cloud resources to cut down on tedious, monotonous tasks and free up the teams to do what they do best - innovate.
This at-will position is wholly or partially funded by contractual grant funding which is renewed under provisions set by the grantor of the contract. Employment will be contingent upon the continued receipt of these grant funds and satisfactory job performance.

Responsibilities

• Evaluate and analyze threat, vulnerability, impact, and risk of security issues discovered from various DevSecOps tools such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), Interactive Application Security Testing (IAST), Dynamic Application Security Testing (DAST) and Container Security platform.

• Advise and collaborate with DevOps teams, developers, application, and project teams on the security issues, including explanation of the technical details and how they can remediate the vulnerabilities in their applications.

• Develop and design DevSecOps metrics, policies, processes, and procedures.

• Provide training to developers and other stakeholders on the usage of the tools.

• Assist with implementing and designing automated security checks and additional security tools within the CI/CD pipelines.

• Conduct POCs and work with vendors for DevSecOps tools to achieve security automation and efficiency.

• Effectively communicate and manage expectations of various stakeholders.

• Keep abreast of the latest industry trends in security and DevSecOps processes and make continuous recommendations for improvement.

• Assist in maintaining FedRamp Moderate and FISMA Moderate compliance.

• Investigates, analyzes and resolves day-to-day technical problems using standard procedures.

• Works with stakeholders to gather and analyze requirements for developmental programs. Receives a moderate level of guidance to design applications to meet University and business requirements.

• Performs code testing on components and works to ensure that appropriate implementation standards are met. Evaluates design alternatives for development cost and solutions using various methods.

• Supports and maintains existing applications. Works with developers and responds to requests from users.

• Performs other related work as needed.

Minimum Qualifications
 

Education:

Minimum requirements include a college or university degree in related field.

---
Work Experience:

Minimum requirements include knowledge and skills developed through 5-7 years of work experience in a related job discipline.

---
Certifications:

---

Preferred Qualifications

Education:

• A recognized university degree in Computer Science, Computer/Electrical Engineering, Information Technology or equivalent.

Experience:

• 2+ years of experience developing infrastructure, system configuration and/or deployment automation, for one or more cloud platforms including OpenStack, AWS, GCP, and Azure.

• Sound technical background of working with SAST, SCA, DAST, IAST and other vulnerability scanning tools.

• Prior experience in performing secure code reviews, web application penetration tests.

• Solid understanding of full DevSecOps pipeline, Agile methodology, container security, APIs and microservices.

• Capable of working with various CI/CD tools.

• Analytical thinker with excellent communication skills.

• Familiarity of NIST 800-53, FedRAMP, FISMA, HIPPA and other regulatory/industries requirements.

• Experience with Palo XSOAR.

Licenses and Certifications:

• GWAPT, CEH, OSCP, CISSP etc.

Preferred Competencies

• Ability to promptly respond to, triage and resolve production incidents and events.

• Ability to prioritize and manage workload to meet critical project milestones and deadlines.

• Ability to weigh business needs against security concern.

• Ability to conceptualize a course of action and to organize for the successful completion of that action is critical, often under tight deadlines.

• Ability to present information in a consistent and concise manner.

• Proficient understanding of programming languages.

• Knowledge in scripting to support the automation and continuous improvement of processes.

• Knowledge of Python for use and development of a Security Orchestration, Automation, and Response platform.

• Knowledge in build/release tools and methodologies in CI/CD pipelines, including Argo and Helm.

• Confidentiality related to sensitive matters such as strategic initiatives, trade secrets, quiet periods, and scientific discoveries yet to be put in the public domain.

Application Documents  

• Resume (required)

• Cover Letter (preferred)

When applying, the document(s) MUST  be uploaded via the My Experience page, in the section titled Application Documents of the application.

Job Family
 

Information Technology

Role Impact
 

Individual Contributor

FLSA Status
 

Exempt

Pay Frequency
 

Monthly

Scheduled Weekly Hours
 

40

Benefits Eligible
 

Yes

Drug Test Required
 

No

Health Screen Required
 

No

Motor Vehicle Record Inquiry Required
 

No

Posting Statement
 

The University of Chicago is an Affirmative Action/Equal Opportunity/Disabled/Veterans and does not discriminate on the basis of race, color, religion, sex, sexual orientation, gender, gender identity, national or ethnic origin, age, status as an individual with a disability, military or veteran status, genetic information, or other protected classes under the law. For additional information please see the University's Notice of Nondiscrimination.

 

Staff Job seekers in need of a reasonable accommodation to complete the application process should call 773-702-5800 or submit a request via Applicant Inquiry Form.

 

We seek a diverse pool of applicants who wish to join an academic community that places the highest value on rigorous inquiry and encourages a diversity of perspectives, experiences, groups of individuals, and ideas to inform and stimulate intellectual challenge, engagement, and exchange.

 

All offers of employment are contingent upon a background check that includes a review of conviction history.  A conviction does not automatically preclude University employment.  Rather, the University considers conviction information on a case-by-case basis and assesses the nature of the offense, the circumstances surrounding it, the proximity in time of the conviction, and its relevance to the position.

 

The University of Chicago's Annual Security & Fire Safety Report (Report) provides information about University offices and programs that provide safety support, crime and fire statistics, emergency response and communications plans, and other policies and information. The Report can be accessed online at: http://securityreport.uchicago.edu . Paper copies of the Report are available, upon request, from the University of Chicago Police Department, 850 E. 61st Street, Chicago, IL 60637.