DevSecOps Engineer

Short-Term  Engagement, with potential ongoing advisory support

We are looking for a DevSecOps Engineer with 3+ years of experience to help audit, strengthen, and improve the security posture of a small but growing SaaS platform serving nonprofit and corporate clients.

OVERLAP 14:00–16:00 Mountain Time (MT)

This role is security-first, with DevOps responsibilities as a secondary layer. The main goal is to assess the current infrastructure, identify security and compliance gaps, and implement a practical roadmap to improve the platform’s overall resilience, compliance readiness, and long-term sustainability.

What we are looking for:

— 3+ years of hands-on experience in DevSecOps, DevOps with a strong security focus, or cloud/infrastructure security

— Strong experience with AWS and cloud security best practices

— Experience with GitHub Actions, CI/CD security, Docker, and container/image scanning

— Experience reviewing and securing hosted platforms, including PaaS environments such as Render or similar

— Solid understanding of IAM/access control, secrets management, DNS security, backups, disaster recovery, and infrastructure hardening

— Experience identifying and remediating security gaps in small or mid-sized SaaS environments

— Familiarity with SOC 2 controls and general compliance-oriented security practices

— Ability to recommend pragmatic, cost-conscious solutions for a small team

— Strong communication skills and ability to explain risks, tradeoffs, and priorities clearly to non-security stakeholders

— English level: B2 minimum

Project scope:

— Initial security and infrastructure audit

— Identify risks, vulnerabilities, and operational gaps

— Build and prioritize a remediation roadmap

— Implement key improvements over a 2–3 month engagement

— Potential for ongoing periodic security reviews and advisory support afterward
 

Current stack / environment:

— Git

— GitHub Actions

— Docker

— AWS

— Render
 

What you will do:

— Audit the current cloud and application setup from a security and DevSecOps perspective

— Review infrastructure, deployment processes, DNS configuration, access controls, and backup/disaster recovery practices

— Identify gaps related to SOC 2 readiness and help prepare for stronger enterprise security expectations

— Assess security controls around CI/CD, secrets management, container images, user access, and production environments

— Review existing vulnerability scanning practices and recommend improvements, including dynamic scanning where needed

— Help define and implement practical controls such as firewalling, hardening, monitoring, least-privilege access, and security hygiene improvements

— Investigate risks related to DNS, exposed services, stale records, misconfigurations, and other overlooked infrastructure issues

— Support the team in creating a sustainable, right-sized security approach for a small organization without overengineering

— Translate findings into an actionable roadmap with clear priorities, balancing risk, cost, and implementation effort

— Help improve confidence in responding to enterprise security questionnaires from large corporate clients