DevSecOps Engineer

DevSecOps Engineer (Short-Term Project, with potential ongoing advisory support)

We are looking for a DevSecOps Engineer with 3+ years of experience to help audit, strengthen, and improve the security posture of a small but growing SaaS platform serving nonprofit and corporate clients.

This role is security-first, with DevOps responsibilities as a secondary layer. The main goal is to assess the current infrastructure, identify security and compliance gaps, and implement a practical roadmap to improve the platform’s overall resilience, compliance readiness, and long-term sustainability.

Project scope:

- Initial security and infrastructure audit

- Identify risks, vulnerabilities, and operational gaps

- Build and prioritize a remediation roadmap

- Implement key improvements over a 2–3 month engagement

- Potential for ongoing periodic security reviews and advisory support afterward

Current stack / environment:

- Git

- GitHub Actions

- Docker

- AWS

- Render

What you will do:

- Audit the current cloud and application setup from a security and DevSecOps perspective

- Review infrastructure, deployment processes, DNS configuration, access controls, and backup/disaster recovery practices

- Identify gaps related to SOC 2 readiness and help prepare for stronger enterprise security expectations

- Assess security controls around CI/CD, secrets management, container images, user access, and production environments

- Review existing vulnerability scanning practices and recommend improvements, including dynamic scanning where needed

- Help define and implement practical controls such as firewalling, hardening, monitoring, least-privilege access, and security hygiene improvements

- Investigate risks related to DNS, exposed services, stale records, misconfigurations, and other overlooked infrastructure issues

- Support the team in creating a sustainable, right-sized security approach for a small organization without overengineering

- Translate findings into an actionable roadmap with clear priorities, balancing risk, cost, and implementation effort

- Help improve confidence in responding to enterprise security questionnaires from large corporate clients

What we are looking for:

- 3+ years of hands-on experience in DevSecOps, DevOps with a strong security focus, or cloud/infrastructure security

- Strong experience with AWS and cloud security best practices

- Experience with GitHub Actions, CI/CD security, Docker, and container/image scanning

- Experience reviewing and securing hosted platforms, including PaaS environments such as Render or similar

- Solid understanding of IAM/access control, secrets management, DNS security, backups, disaster recovery, and infrastructure hardening

- Experience identifying and remediating security gaps in small or mid-sized SaaS environments

- Familiarity with SOC 2 controls and general compliance-oriented security practices

- Ability to recommend pragmatic, cost-conscious solutions for a small team

- Strong communication skills and ability to explain risks, tradeoffs, and priorities clearly to non-security stakeholders

- English level: B2 minimum

Availability requirements:

- Must be available for overlap from 14:00 to 16:00 Mountain Time (MT)

- Outside of that window, the working schedule is flexible

Nice to have:

- Experience with GDPR readiness or compliance-related security improvements

- Experience supporting penetration testing remediation

- Experience with SSO/security controls for B2B or enterprise clients

- Experience working with lean startups, nonprofits, or small product teams

Ideal profile:

This role is a great fit for someone who can independently assess a relatively simple SaaS environment, uncover blind spots, and implement the highest-impact security improvements without creating unnecessary complexity. We are looking for someone practical, hands-on, and able to combine audit thinking with execution.

Engagement:

- Estimated initial duration: 2–3 months

- Potential for ongoing part-time or periodic audit/advisory support