Alpaca - DevSecOps Engineer

• We are seeking a DevSecOps Engineer to own the intersection of security, reliability, and DevOps. This role will design and implement resiliency across our cloud platform and CI/CD pipelines, embed “security as code,” help lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale. • You will be hands-on and strategic: automating remediation, hardening deployments, owning observability, and driving measurable reductions in security/infra related incident impact. This role reports to the CISO, with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership. • The Security Team is 100% distributed and remote. • Things You Get To Do: • The core responsibilities of the DevSecOps Engineer role are focused on embedding security throughout our infrastructure and software development lifecycle, enhancing cyber resilience, and driving a strong security culture. • Security Engineering & Automation: • Secure SDLC Integration: Embed security into CI/CD pipelines by implementing and owning secure controls, including Infrastructure as Code (IaC) scanning, Software Composition Analysis (SCA), secrets checks, policy-as-code, and deployment guardrails. • Secure SDLC Integration: • Vulnerability Management: Lead the process of vulnerability and patch management, automating discovery, prioritization, and remediation across all cloud workloads and their dependencies. • Vulnerability Management: • Platform Hardening: Strengthen cloud and Kubernetes environments through secure configurations, network segmentation, workload identity management, and automated compliance against industry standards (e.g., CSA Star). • Platform Hardening: • Supply Chain Security: Advance the security of the software supply chain, focusing on generating Software Bill of Materials (SBOMs), artifact signing, dependency governance, and implementing integrity controls. • Supply Chain Security: • Secure Patterns: Create secure "paved roads" for developers, providing hardened IaC modules, templates, tooling, and comprehensive documentation. • Secure Patterns: • Resilience, Detection, and Response: • Cyber Resilience: Own and validate cyber-resiliency standards (secure failover, secure backups, Disaster Recovery playbooks) through secure rehearsals to ensure both the availability and integrity of systems and data • Cyber Resilience: • Security Deployment: Develop secure deployment patterns, such as canary rollouts, automated safe rollbacks, and guardrails to minimize blast radius • Security Deployment: • Detection & Forensics: Improve detection and response capabilities by building high-signal alerts, enhancing forensic logging, and providing robust security telemetry. Partner with the SecOps team on incident handling • Detection & Forensics: • Offensive Security: Alongside the Security team, help manage offensive security engagements (penetration testing, red team, bug bounty) and ensure findings are fed directly into remediation pipelines and risk prioritization • Offensive Security: • Architecture, Identity, and Governance: • Design & Threat Modeling: Conduct security reviews and threat modeling for all new services and major architecture changes to ensure designs are secure-by-default • Design & Threat Modeling: • Identity & Access Management (IAM): Strengthen the identity and access model by enforcing the principle of least privilege, strong authentication, and secure secrets lifecycle management • Identity & Access Management (IAM): • Compliance & Audit: Support compliance and audit readiness by operationalizing security controls, producing necessary evidence, and maintaining the health of these controls • Compliance & Audit: • Leadership & Culture: • Security Champion: Champion a strong security culture by partnering with DevOps and Engineering teams to uplift secure coding practices and guide risk-based decision-making • Security Champion: • Metrics & Reporting: Define key security performance indicators (KPIs) such as time to detect, time to remediate, exposure scores, and percentage of infrastructure covered by automated controls, and report measurable improvements to leadership • Metrics & Reporting: