DevSecOps Engineer

Role Overview

We are hiring an experienced SAST / DevSecOps Security Engineer for a Bengaluru-based role. The position requires solid programming ability and deep practical knowledge of static application security testing tools, especially Fortify and Checkmarx. The focus is on secure-by-design implementation, embedding security into delivery pipelines, reducing scan noise, and helping development teams remediate issues effectively.

The selected professional will collaborate closely with development, DevOps, and architecture teams to strengthen security across the SDLC and improve vulnerability triage and remediation outcomes.

Key Responsibilities

• Run and manage static application security scans using Fortify and Checkmarx tools, including Fortify SSC, ScanCentral, and related components.
• Customize scan configurations, policies, and filters to improve accuracy and relevance of findings.
• Review scan output to separate genuine issues from false alarms and rank vulnerabilities by risk, exploitability, and business impact.
• Maintain a strong signal-to-noise ratio in security findings so teams can focus on the most meaningful risks.
• Carry out detailed false-positive analysis by examining source code, application logic, and data flow.
• Record the reasoning for false-positive decisions and accepted risks, and coordinate with governance teams to keep triage practices consistent.
• Work with developers to explain findings in code context, recommend secure coding fixes, validate remediations, and rerun scans.
• Facilitate remediation workshops, support secure code reviews, and help teams refactor insecure code patterns.
• Integrate SAST scanning into CI/CD environments such as Jenkins, GitHub Actions, and Azure DevOps.
• Implement pre-commit or pull-request-based scans, quality gates, and build-break policies where needed.
• Improve scan performance and minimize pipeline disruption, including support for containerized and microservices-based builds.
• Contribute to secure SDLC activities such as secure design reviews, threat modeling, and manual code reviews for high-risk applications.
• Help define and enforce secure coding standards across teams.
• Troubleshoot scan failures, build integration issues, and compatibility problems across languages and frameworks.
• Support tool upgrades, migrations, rule pack updates, and coordination with vendor support when necessary.

Tools and Technology Exposure

• Fortify SSC, ScanCentral, and SCA
• Checkmarx
• Jenkins, GitHub Actions, and Azure DevOps
• Java, Python, JavaScript/TypeScript, or C#/.NET
• Maven, Gradle, npm, and MSBuild
• Git repositories such as GitHub, GitLab, and Bitbucket

Experience and Requirements

• 5 to 10 years of experience in application security, SAST, or DevSecOps.
• Strong programming background with the ability to read, understand, and debug production code.
• Capability to trace data flow and execution paths in real-world applications.
• Hands-on expertise in Fortify and/or Checkmarx.
• Strong understanding of OWASP Top 10, CWE, CVE, and secure coding practices.
• Prior experience in enterprise environments with CI/CD-driven delivery models.
• Good-to-have experience with SCA tools such as Mend, Black Duck, or Snyk.
• Exposure to API and microservices security is preferred.
• Infrastructure-as-Code scanning experience is an added advantage.
• Certifications such as CSSLP, GWAPT, Secure Code Warrior, or Fortify/Checkmarx certifications are preferred.

Location

Bengaluru, India.

Eligibility

Candidates with a B.Tech / B.E. in Computer Science and Engineering, Information Technology, B.C.A. in Computer Applications, B.Sc. in Computer Science and Technology, or Information Technology are eligible to apply.