Experience: 6–8 Years
Industry: Enterprise Applications / Energy / Manufacturing
Role Overview
The DevSecOps Architect is responsible for defining, architecting, and implementing an enterprise-wide DevSecOps and Software Factory (Secure SDLC) framework. This role will lead assessments and gap analysis of current development and delivery practices, design target-state DevSecOps architectures, and drive the implementation of secure software factory pipelines, tooling, and processes across the organization.
You will work closely with application development, platform engineering, security, operations, compliance, and business stakeholders to embed security and quality into every phase of the software development lifecycle, from planning to production.
Key Responsibilities
1. Assessment & Gap Analysis
• Conduct detailed assessments of current SDLC, CI/CD, and security practices across application teams and platforms.
• Identify maturity levels for DevSecOps practices using industry frameworks (e.g., NIST SSDF, OWASP SAMM, BSIMM).
• Perform gap analysis of people, process, and technology against target DevSecOps and Secure SDLC capabilities.
• Document findings and provide prioritized remediation and improvement roadmaps.
2. Software Factory / Secure SDLC Framework
• Define and architect a standardized Software Factory Model framework (Secure SDLC) for the enterprise.
• Develop reference architectures, blueprints, and patterns for:
o Source control and branch strategy
o CI/CD pipelines
o Security testing integration (SAST, DAST, SCA, secrets scanning, container scanning, IaC scanning)
o Artifact management and promotion
o Environment provisioning and configuration management
• Define security and quality gates for each phase of the SDLC and pipeline stages.
• Establish standardized templates, configurations, and reusable components to accelerate adoption.
3. Enterprise DevSecOps Design & Implementation
• Design and lead the implementation of DevSecOps practices across multiple business units and application portfolios.
• Define enterprise standards for:
o Build and release automation
o Infrastructure as Code (IaC) and GitOps
o Containerization and orchestration (e.g., Docker, Kubernetes)
o Secrets and key management
o Identity and access control for CI/CD, tools, and runtime environments
• Integrate security controls into development workflows and pipelines (shift-left security).
• Collaborate with platform and cloud teams to architect secure, automated environments (on-prem, cloud, or hybrid).
4. Tooling Strategy & Integration
• Evaluate and select DevSecOps tools in alignment with enterprise architecture and security requirements.
• Define toolchain integration patterns, including:
o SCM, CI/CD, security scanners, artifact repositories, registries, monitoring, and logging platforms.
• Drive automation for:
o Policy-as-code
o Compliance-as-code
o Security controls and guardrails
• Ensure logging, monitoring, and alerting capabilities are integrated into pipelines and runtime environments (e.g., SIEM, APM, observability platforms).
5. Governance, Policy & Compliance
• Define and enforce DevSecOps and Secure SDLC policies, standards, and best practices.
• Align DevSecOps architecture with regulatory and compliance requirements.
• Implement automated controls and checks to validate compliance in pipelines and environments.
6. Enablement, Training & Change Management
• Act as a primary DevSecOps and Secure SDLC evangelist across the enterprise.
• Provide coaching, guidance, and hands-on support to development and operations teams in adopting new practices and tools.
• Create and maintain documentation, playbooks, and standards for pipelines, security controls, and patterns.
• Conduct training sessions, workshops, and brown-bag sessions on DevSecOps principles and secure coding practices.
7. Continuous Improvement & Innovation
• Continuously review and improve the Software Factory model and DevSecOps framework based on feedback, metrics, and evolving threats.
• Stay current with emerging technologies, methodologies, and security risks in DevOps, cloud, and application security.
• Pilot and introduce new practices (e.g., chaos engineering, zero-trust principles in CI/CD, SBOM management, supply-chain security).
Required Qualifications
• Bachelor’s degree in Computer Science, Information Technology, Engineering, or related field (or equivalent experience).
• 8+ years of experience in software development, DevOps, or platform engineering roles.
• 3+ years of specialized experience in DevSecOps, Application Security, or Security Architecture.
• Proven experience designing and implementing enterprise-scale CI/CD pipelines and DevOps toolchains.
• Strong understanding of Secure SDLC concepts and frameworks (e.g., NIST SSDF, OWASP SAMM, OWASP Top 10, CWE).