Engineer III, Software
Thermo Fisher · Bangalore, India
Thermo Fisher · Bangalore, India
Work Schedule First Shift (Days) Environmental Conditions Office Job Description Job Title Senior DevSecOps Engineer – SBOM, SAST & CI/CD Security Automation (6–10 years) Job Description We are seeking a Senior DevSecOps Engineer (6–10 years of experience) to lead security automation and tooling integration across MSD projects. This role will focus on embedding security controls into the software delivery lifecycles specifically SBOM generation and quality improvement, secret scanning, and SAST integration—and automating security report generation and publishing into platforms such as Dependency-Track and DefectDojo. You will work closely with engineering, DevOps, and security stakeholders to ensure scalable, repeatable, and measurable security practices are implemented through CI/CD pipelines, while continuously improving technical documentation and onboarding guidance for teams adopting these capabilities. Key Responsibilities • Integrate and operationalize security tooling within MSD projects, including: • SBOM generation and validation • Secret scanning • SAST (Static Application Security Testing) • Improve the quantity (coverage) and quality of generated SBOMs by defining standards, validation gates, and measurable KPIs (e.g., completeness, dependency accuracy, license metadata, component version resolution). • Design and maintain CI/CD automation to generate security reports and automatically publish results to: • Dependency-Track (SBOM ingestion / component risk analysis) • DefectDojo (centralized vulnerability management / reporting) • Build and maintain “security as code” patterns (pipeline templates, reusable scripts, standardized configs) to enable broad adoption across multiple repositories/teams. • Establish secure and scalable practices for credential handling in pipelines (least privilege, secret management patterns, rotation support). • Create, maintain, and continuously improve documentation (runbooks, onboarding guides, troubleshooting, reference architecture) to support platform adoption. • Provide operational support for security tooling integrations, including triage of pipeline failures, report ingestion issues, and tooling upgrades. • Contribute to continuous improvement of DevSecOps strategy, governance, and compliance alignment through automation and measurable outcomes. Required Skills • 6–10 years of experience in DevOps / DevSecOps / Security Engineering / Platform Engineering roles with strong CI/CD ownership. • Strong hands-on experience integrating security tools into CI/CD pipelines (e.g., Jenkins, GitHub Actions, GitLab CI). • Practical expertise in: • SBOM generation and management (e.g., CycloneDX, dependency discovery, artifact association) • Secret scanning integrations and tuning • SAST integration, configuration, and triage workflows • Experience automating generation, transformation, and publishing of security results (APIs, JSON handling, pipelines-as-code, scripting). </li