Role/Job Title: DevSecOps Pentester
Work Location: London (2 - 3days)
The Role Conducts security assessments and penetration tests across CI/CD pipelines, cloud infrastructure, and application environments. Integrates automated security tools and practices within DevOps workflows to ensure continuous security validation. Identifies and exploits vulnerabilities in code, containers, APIs, and infrastructure-as-code before they reach production. Collaborates with development, security, and operations teams to implement remediation and improve security posture. Stays current with threat landscapes, tools, and methodologies to proactively defend against evolving cyber risks in general and more specific to an airline industry, transportation sector. Your Responsibilities Integrate security practices and tools into the DevOps pipeline to ensure security is a continuous process.
Perform IaC Automation and ServiceNow integrations to automate AWS Service catalogues. Contribute to security tooling, checklists, and automation efforts.
Identify potential security threats and vulnerabilities during the design phase identify flaws in CI/CD, IaC, and cloud/containerized environments.
Perform manual and automated security testing on web apps, APIs, pipelines.
Participate in agile ceremonies (sprint planning, threat modeling, grooming).
Create detailed reports, providing actionable advice to clients on how to address the identified vulnerabilities and improve their security posture; outlining identified vulnerabilities, their potential impact, and recommended remediation steps: including executive summaries and technical findings.
Validate remediations and conduct retesting cycles.
Track and manage issues via Jira workflows and developer tickets.
Advise on secrets management, IAM, and secure deployment practices.
Educate development and operations teams on security best practices and emerging threats.
Your Profile Essential skills/knowledge/experience: Strong application security background (OWASP Top 10, API security).
Manual pentesting of modern web apps, APIs, and CI/CD pipelines.
Deep understanding of DevSecOps practices, secure SDLC and proficient in threat modeling and secure design review.
Proficiency in automating security checks within the CI/CD pipeline using tools like Jenkins, GitLab, and Ansible is vital.
Knowledge of secure coding practices and common developer pitfalls.
Scripting for testing/automation (Python, Bash, Go).
Experience with cloud-native architectures (Docker, Kubernetes, IaC).
Knowledge of securing cloud platforms (AWS, Azure, GCP) and understanding cloud security best practices.
Effective communication and collaboration with developers and DevOps.
Comfortable operating in agile, fast-paced environments.
Desirable skills/knowledge/experience: Exceptional customer engagement and reporting skills.
Exceptional analytical, problem-solving, and troubleshooting abilities.
Proven use of modern security tooling in real-world projects.
Experience in agile delivery teams and cross-functional collaboration.
Exposure to cloud security and IaC misconfiguration testing.
Comfortable documenting technical findings and engaging in remediation cycles.
Nice to have certifications (not mandatory): OSCP, OSWA, CRTO, GWAPT, GPEN, eWPT
Azure Security Engineer Associate / AWS Security Specialty
Kubernetes Security or DevSecOps-focused certifications
TPBN1_UKTJ