DevSecOps Engineer

We are looking for a DevSecOps Engineer with 3+ years of experience to help audit, strengthen, and improve the security posture of a small but growing SaaS platform serving nonprofit and corporate clients. 

This role is security-first, with DevOps responsibilities as a secondary layer. The main goal is to assess the current infrastructure, identify security and compliance gaps, and implement a practical roadmap to improve the platform’s overall resilience, compliance readiness, and long-term sustainability. 

Project scope: 

- Initial security and infrastructure audit 

- Identify risks, vulnerabilities, and operational gaps 

- Build and prioritize a remediation roadmap 

- Implement key improvements over a 2–3 month engagement 

- Potential for ongoing periodic security reviews and advisory support afterward 

Current stack / environment: 

- Git 

- GitHub Actions 

- Docker 

- AWS 

- Render 

What you will do: 

- Audit the current cloud and application setup from a security and DevSecOps perspective 

- Review infrastructure, deployment processes, DNS configuration, access controls, and backup/disaster recovery practices 

- Identify gaps related to SOC 2 readiness and help prepare for stronger enterprise security expectations 

- Assess security controls around CI/CD, secrets management, container images, user access, and production environments 

- Review existing vulnerability scanning practices and recommend improvements, including dynamic scanning where needed 

- Help define and implement practical controls such as firewalling, hardening, monitoring, least-privilege access, and security hygiene improvements 

- Investigate risks related to DNS, exposed services, stale records, misconfigurations, and other overlooked infrastructure issues 

- Support the team in creating a sustainable, right-sized security approach for a small organization without overengineering 

- Translate findings into an actionable roadmap with clear priorities, balancing risk, cost, and implementation effort 

- Help improve confidence in responding to enterprise security questionnaires from large corporate clients 

What we are looking for: 

- 3+ years of hands-on experience in DevSecOps, DevOps with a strong security focus, or cloud/infrastructure security 

- Strong experience with AWS and cloud security best practices - Experience with GitHub Actions, CI/CD security, Docker, and container/image scanning 

- Experience reviewing and securing hosted platforms, including PaaS environments such as Render or similar 

- Solid understanding of IAM/access control, secrets management, DNS security, backups, disaster recovery, and infrastructure hardening 

- Experience identifying and remediating security gaps in small or mid-sized SaaS environments 

- Familiarity with SOC 2 controls and general compliance-oriented security practices 

- Ability to recommend pragmatic, cost-conscious solutions for a small team 

- Strong communication skills and ability to explain risks, tradeoffs, and priorities clearly to non-security stakeholders 

- English level: B2 minimum

Availability requirements: 

- Must be available for overlap from 14:00 to 16:00 Mountain Time (MT) 

- Outside of that window, the working schedule is flexible 

Nice to have: 

- Experience with GDPR readiness or compliance-related security improvements 

- Experience supporting penetration testing remediation 

- Experience with SSO/security controls for B2B or enterprise clients 

- Experience working with lean startups, nonprofits, or small product teams

We are looking for someone practical, hands-on, and able to combine audit thinking with execution. 

Engagement: 

- Estimated initial duration: 2–3 months 

- Potential for ongoing part-time or periodic audit/advisory support