Key skills
AWS EKSKubernetesTerraformAnsibleArgoCDArgo WorkflowsGitLabGitHubFedRAMPSTIGCIS BenchmarksRBACIAMOkta/OIDCSAMLWAFIstioNetwork SegmentationCertificate ManagementSecrets RotationLeast PrivilegeGrypeAnchoreHedgehogS3 ScanningVulnerability ScanningSecrets DetectionPythonCI/CD PipelinesCode ReviewPR ManagementPatch AutomationClaudeAI-Assisted CodingAIAWSEKSS3ServiceNowCI/CDCommunicationCollaborationTrivy
About this role
ServiceNow is a global market leader in innovative AI-enhanced technology, providing solutions to over 8,100 customers. They are seeking a DevSecOps engineer to help secure their AWS EKS Kubernetes environment and CI/CD pipeline in preparation for a FedRAMP High audit.
Responsibilities:
- Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
- Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
- Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
- Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
- Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
- Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
- Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
- Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
- Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
- Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
- Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
- Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
- Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
- Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
- Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
- Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
- Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks
Requirements:
- Deep familiarity with container technology and security
- Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
- Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
- Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
- Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
- Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
- Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
- Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
- Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
- Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
- Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
- Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
- Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
- Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
- Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
- Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
- Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
- Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks
- Min Bachelors Degree