Introduction

This position is for a DevSecOps Engineer supporting the Army Edge Computing Capability (AECC) project that ALTESS is fielding for the US Army. The AECC solution is a hyperconverged, multitenant hosting environment for hosting Army enterprise and tactical applications. AECC is transitioning to a Kubernetes-based container orchestration platform, which may include Red Hat OpenShift or other Kubernetes distributions, to implement a modernized Software Defined Data Center (SDDC). The DevSecOps Engineer will play a critical role in modernizing applications into a DevSecOps framework, leveraging tools such as GitLab, Terraform, Ansible, and other automation and security tools to streamline development, deployment, and security processes. ALTESS provides value-added common and managed services built on top of the Kubernetes foundation, which hosted Army applications will require. ALTESS is a managed service provider (MSP) and hosting services provider for Army applications. ALTESS is a Product Lead office under Capability Program Executive (CPE) Enterprise Software and Services (CPE ES2).

Your role and responsibilities

DevSecOps Engineer Responsibilities

The DevSecOps Engineer will be responsible for designing, implementing, and maintaining secure, automated delivery pipelines in support of application modernization within the AECC environment. Key responsibilities include:

• Design, implement, and maintain a comprehensive DevSecOps framework to modernize applications hosted in the AECC environment.
• Build and manage CI/CD pipelines by integrating tools such as GitLab Ultimate, Terraform, and Ansible to automate development, deployment, and security workflows.
• Develop and enforce security gates within CI/CD pipelines to ensure only secure code, container images, and configurations are deployed.
• Collaborate with development teams to containerize legacy applications and migrate them to Kubernetes-based environments.
• Integrate security testing into pipelines, including static application security testing (SAST), dynamic application security testing (DAST), and container image scanning.
• Perform container image vulnerability scanning using tools such as Trivy, Clair, or Anchore.
• Implement and manage secrets management solutions (e.g., HashiCorp Vault, Sealed Secrets) to securely handle sensitive data across pipelines and applications.
• Monitor CI/CD pipelines and Kubernetes workloads for performance, security, and compliance using GitLab CI/CD dashboards.
• Optimize pipeline performance and resource utilization to reduce deployment times and improve scalability.
• Partner closely with developers, Kubernetes administrators, and cybersecurity teams to ensure applications meet security, compliance, and operational requirements.
• Provide training, documentation, and guidance to development teams on DevSecOps tools, workflows, and best practices.
• Translate high-level technical objectives into detailed technical requirements in collaboration with internal and external stakeholders.
• Ensure applications and pipelines comply with applicable standards and frameworks, including DoD RMF, CIS Benchmarks, and NIST SP 800-53.
• Produce and maintain reports on pipeline security posture, application compliance, and deployment metrics for leadership and stakeholders.

Required education

Bachelor's Degree

Required technical and professional expertise

• Strong expertise in implementing and managing DevSecOps frameworks using tools such as GitLab, Azure DevOps, or Atlassian.
• Proficiency in Infrastructure as Code (IaC) tools, including Terraform and Ansible.
• Experience with containerization and orchestration tools, such as Docker, Kubernetes, and Red Hat OpenShift.
• DoD 8570.01-M IAT Level II certification (e.g., Security+ CE).
• Must obtain computing environment certifications (e.g., any GitLab certification, Azure DevOps, Jira, etc.) within 6 months of hire.
• Must hold and maintain and active secrect security clearance

Preferred technical and professional experience

• Knowledge of static application security testing (SAST) and dynamic application security testing (DAST) tools (e.g., SonarQube, OWASP ZAP, Burp Suite).
• Familiarity with container image scanning tools (e.g., Trivy, Clair, Anchore).
• Experience with secrets management tools (e.g., HashiCorp Vault, Sealed Secrets).
• Proficiency in scripting languages (e.g., Python, Bash, PowerShell) for automating tasks and workflows.
• Experience with CI/CD pipeline automation and optimization.
• Experience with monitoring tools such as Prometheus, Grafana, and GitLab CI/CD dashboards.
• Strong troubleshooting skills for diagnosing issues in CI/CD pipelines and Kubernetes workloads.