Staff Engineer, Software

• Design, implement, and maintain secure CI/CD pipelines using Jenkins and GitLab, ensuring integration of security controls throughout the software delivery lifecycle 

• Implement and manage automated SBOM generation (CycloneDX, SPDX) within CI/CD pipelines, ensuring accuracy and completeness of metadata 

• Integrate SBOM data with vulnerability management platforms (e.g., Dependency-Track) to enable continuous monitoring of third-party risks 

• Support compliance with cybersecurity regulations and standards (including Executive Order 14028), translating requirements into enforceable technical controls and preparation for EU CRA. 

• Implement and manage vulnerability tracking and remediation workflows using tools such as DefectDojo 

• Establish and enforce software supply chain security practices, including governance of third-party and open-source components 

• Manage and maintain artifact repositories, ensuring proper classification of internal vs. external packages and secure usage of package sources (NuGet, Conan, Sky) 

• Implement and enforce software license compliance, including automated license scanning and validation using SPDX identifiers 

• Design and maintain secure, isolated, or controlled build environments to ensure integrity of the software build process 

• Integrate static code analysis and security scanning tools (e.g.,SonarQube, TICS and CodeQL) into CI/CD pipelines 

• Develop and maintain automation scripts (Python, PowerShell) to support security processes and pipeline efficiency 

• Secure containerized environments (Docker, Kubernetes), including image hardening, access control (RBAC), and vulnerability scanning 

• Collaborate with infrastructure teams to ensure VMware environments are hardened and aligned with security best practices 

• Apply Secure Software Development Lifecycle (SSDLC) practices across development teams, embedding security early in the process 

• Define, implement, and enforce security policies, standards, and compliance controls across development and DevOps workflows 

• Collaborate closely with development, QA, and DevOps teams to remediate vulnerabilities and improve secure coding practices 

• Support audit and compliance activities by maintaining documentation, traceability, and evidence in tools such as Confluence 

• Proven experience in supporting teams performing OWASP threat modeling 

• Participate in Agile processes using Jira, contributing to sprint planning, backlog refinement, and continuous improvement initiatives 

• Work within Scrum, Kanban, and scaled Agile (ART) environments, collaborating with cross-ART teams to align on shared security practices 

• Perform risk assessments and proactively identify security gaps, proposing and implementing mitigation strategies 

• Continuously improve DevSecOps tooling, processes, and practices to enhance security posture without impacting delivery speed 

Requirements: 

The ideal candidate combines strong DevOps expertise with deep knowledge of application security, 

software supply chain security, and regulatory compliance, and thrives in complex, highly regulated environments. 

• University degree in Computer Science, Cybersecurity, Software Engineering, or a related technical discipline 

• 8+ years of Strong experience designing, implementing, and maintaining secure CI/CD pipelines using Jenkins and GitLab 

• Mandatory hands-on experience implementing Software Bill of Materials (SBOM) generation within CI/CD pipelines (CycloneDX, SPDX formats), including metadata collection and validation 

• Experience integrating SBOMs with vulnerability management platforms such as Dependency-Track or equivalent tools 

• Hands-on experience with vulnerability management and tracking tools (e.g., DefectDojo or similar), including remediation workflows 

• Strong understanding of software supply chain security, including governance of third-party and open-source components 

• Experience managing artifact repositories and package ecosystems, including NuGet, Conan, and internal repositories (e.g., Sky), with clear understanding of internal vs. external package classification 

• Strong knowledge of software license management, SPDX license identifiers, and automated license compliance enforcement 

• Experience integrating static code analysis and security scanning tools (e.g., SonarQube, TICS, CodeQL) into CI/CD pipelines 

• Hands-on experience designing and maintaining secure, isolated, or controlled build environments 

• Strong scripting and automation skills using Python and/or PowerShell 

• Experience securing containerized environments using Docker and Kubernetes, including image hardening, RBAC, and vulnerability scanning 

• Strong understanding of VMware infrastructure security and system hardening best practices 

• Solid understanding and practical application of Secure Software Development Lifecycle (SSDLC) principles 

• Experience defining, implementing, and enforcing security policies, standards, and compliance controls across development and DevOps processes 

• Experience supporting compliance with cybersecurity regulations and standards (e.g., Executive Order 14028, EU Cyber Resilience Act) and translating them into technical implementations 

• Familiarity with OWASP practices, including supporting or contributing to threat modeling activities 

• Experience working in audit-driven and regulated environments, with ability to produce documentation, traceability, and compliance evidence (e.g., via Confluence) 

• Experience working in Agile environments using Jira, including Scrum, Kanban, and scaled Agile frameworks (ART) 

• Strong analytical, risk assessment, and problem-solving skills, with the ability to identify vulnerabilities and propose effective mitigation strategies 

• Proven ability to collaborate effectively with development, QA, DevOps, and infrastructure teams to drive secure development practices 

• Strong communication skills, with the ability to translate security and regulatory requirements into actionable technical solutions 

• Fluent in English (B2 level or higher)