Cypress HCMRemote
DevSecOps Engineer – Security Automation & Pipeline Development, 37294688
United States of America
Full Time
2 days ago
$80 - $91 USD
Visa Sponsor
Key skills
PythonAIClaudeCypressAWSTerraformKubernetesAnsibleEKSArgoCDS3IAMOktaSAMLGitHubGitLabIstioCI/CDCommunicationCollaborationTrivyWAF
About this role
Cypress HCM is seeking a DevSecOps Engineer to enhance security within their AWS EKS Kubernetes environment and CI/CD pipeline in preparation for a FedRAMP High audit. The role involves upgrading vulnerable containers, maintaining security settings, and developing automated patching pipelines while ensuring compliance with security standards.
Responsibilities:
- Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
- Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
- Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
- Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
- Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
- Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
- Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
- Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
- Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
- Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
- Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
- Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
- Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
- Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
- Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
- Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
- Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks
Requirements:
- Deep familiarity with container technology and security
- Upgrade vulnerable containers in collaboration with the DevSecOps team, testing and promoting updates to production
- Apply cloud hardening and maintain Terraform/Ansible code to enforce security settings across AWS services and Kubernetes nodes per STIG and CIS benchmarks
- Design and maintain automated container patching pipelines including base image refresh, rebuild triggers, and automated PR generation
- Build and maintain vulnerability scanning workflows using Grype and/or Trivy as pipeline gates blocking promotion of images exceeding CVE thresholds
- Build and manage Argo Workflows orchestrating end-to-end patch automation from scanning through remediation, rebuild, and deployment
- Write Python-based tooling supporting pipeline logic, scan result parsing, notification routing, and patch orchestration
- Own GitHub-based development workflow: branch strategy, PR creation/review, code quality standards, and merge gate enforcement
- Conduct code reviews ensuring changes meet security, quality, and operational standards before production promotion
- Maintain production readiness practices including testing, peer review, rollback procedures, and deployment validation
- Analyze Kubernetes IAM configurations and RBAC policies to identify overprivileged roles, misconfigurations, and deviations from least-privilege principles
- Review and harden Kubernetes network setup and segmentation including network policies, namespace isolation, and inter-service communication controls
- Audit certificate usage across the cluster and pipeline, ensuring proper issuance, validity, and automated rotation; verify secrets are rotated on schedule and not hardcoded or overexposed
- Scan codebases, repos, and infrastructure configs for exposed secrets using open source tools such as Hedgehog and equivalent secret detection utilities
- Scan S3 buckets for exposed secrets and sensitive data, remediating findings and implementing preventive controls
- Review network, WAF, and Istio logs to map existing traffic flows and service communication patterns in preparation for network segmentation and a deny-by-default lockdown posture
- Develop automations for WAF rule creation and tuning based on observed traffic patterns and threat intelligence
- Leverage Claude to accelerate security research, organize remediation plans, and develop Python-based tooling for non-production-impacting automation and analysis tasks
- AWS EKS
- Kubernetes
- Terraform
- Ansible
- ArgoCD
- Argo Workflows
- GitLab
- GitHub
- FedRAMP
- STIG
- CIS Benchmarks
- RBAC
- IAM
- Okta/OIDC
- SAML
- WAF
- Istio
- Network Segmentation
- Certificate Management
- Secrets Rotation
- Least Privilege
- Grype
- Anchore
- Hedgehog
- S3 Scanning
- Vulnerability Scanning
- Secrets Detection
- Python
- CI/CD Pipelines
- Code Review
- PR Management
- Patch Automation
- Claude
- AI-Assisted Coding