DevSecOps Engineer

Job description

Our next DevSecOps Engineer is someone who has ethical hacking as a hobby, who thrives on shift lefting, and someone who collaborates and benefits from the world of open source. Sounds like you?


Zivver is a secure communications provider and as such security is super important at Zivver. We continuously strive to improve the security of our product and organizations. To make sure our customers know they can trust us with their most sensitive data we ask several external auditors to review our security measures. This has resulted in many security certifications so far.


You will be part of a small Security team that is responsible for guarding Zivver against various threats. It is our core job to protect the confidentiality, integrity, and availability of data. It is your job to prepare Zivver for cyber attacks, inside threats, and bad luck. Since Zivver is a scale-up, this means you cannot expect a fully operational Security Operations Center. Together with your team, you will both be responsible for building the security measures and executing them. You will closely collaborate with the Engineering team and integrate security into the way we work as much as possible.


To be successful in this role you need to be a creative problem solver that can switch between the defensive and offensive mindset.


Hot takes

  • There is only security when it is embedded security.

  • There is no bigger security expert than you.

  • If it ain’t automated, it ain’t fixed.


What you’ll do:

  • Together with the Director of Security and another DevSecOps Engineer, you will be responsible for improving the security operations of Zivver.

  • Implement ways to prevent, detect and respond to threats.

  • Keep full control over technical vulnerabilities in our entire suite of products and our internal IT.

  • Integrating security in the CI/CD pipeline.

  • Share insights on the technical risks with the Director of Security and management.

  • Advise the engineering and internal IT team on security best practices.

  • Increase security awareness and knowledge of your colleagues.

  • First responder to threats and security incidents.


Benefits

  • An exciting, fast-growing, energetic environment,

  • International diverse team with over 27 nationalities - and yes, we offer Dutch classes too!

  • We value a healthy life-work balance. We mean it when we say: Take a vacation! We offer unlimited holidays for you to take care of yourself whenever you need it.

  • HQ in Amsterdam where you’re able to work a few days a week & full home office support to make sure you’re all set

  • Working from Bali, the US or Spain? Any place, anywhere: we fully support temporary working from X

  • At least €1.000,- per year on personal development budget

  • All the relocation benefits you need for a fresh start

  • Don’t worry about tomorrow: we’ve got you covered with a pension plan.

Requirements

Expertise you’ll bring:

  • 2+ years experience as a DevSecOps Engineer

  • Blue team experience - you hold the fort

  • You’re experienced with a cloud-based infrastructure, preferably AWS & containers

  • You’re experienced with vulnerability management

  • You’re experienced with threat management and intrusion detection

  • You have experience with SIEM products

  • Familiar with DevOps or DevSecOps and with a Java ecosystem

  • Knowledge of security in the CI/CD pipeline


Soft skills you’ll bring:

  • You are a self-starter, but know how to involve your stakeholders

  • Proud of successes, peeved by mistakes, resilient to recover and learn

  • You work effectively as an individual contributor but also as part of a wider and diverse team - this is key as Zivver has a hybrid working environment.

  • Creative problem solving


If you’re still reading and excited about this role, we welcome your application even if you think you don’t meet all the requirements. We understand that no candidate is perfect, and would love to hear your story. Keen to learn a bit more? Keep reading.


A day at Zivver

You just started your workday when a colleague in the engineering team asks if you could brainstorm with them on how to embed security in the development pipeline. That is interesting, so you quickly plan a meeting for later that morning because you first have to check out a few alerts which need investigating; there appears to be some suspicious behavior going on on the platform. You spend a couple of hours on this and are relieved: it was a false alarm. Nevertheless, you found a few easy ways to improve the alerting which can be picked up later this week.


After lunch, you have a look at the incoming vulnerability reports in HackerOne. There is one interesting report on a possible bypass of a rate limiter. The report turns out to be valid. You respond to the security researcher and create a follow-up ticket for the engineering team.


In the afternoon you attend the Security Core in which the security team comes together to discuss ongoing security concerns. You present the insight you gained by improving the intrusion detection tooling. The team is happy with the progress and asks some critical questions, and you leave feeling motivated and eager to continue working on this.


For the last hour of the day you start investigating the best ways to improve your visibility on the vulnerabilities in the containers and create actionable output for the engineering teams. You want to make sure you have some good ideas before the brainstorming session with the Director of Security and the DevOps team tomorrow. After work, you head to the Hummingbar for a beer and get ready for the Hackathon that you have planned for the evening.