DevSecOps Engineer - VAPT

Description :

Compliance and Governance :

A. Compliance Standards :

- Ensure adherence to GDPR, HIPAA, PCI DSS, and other standards.

- Maintain audit trails with AWS CloudTrail and Bitbucket Activity Logs.

Vulnerability Assessment, Penetration Testing (VAPT), and Hardening :

- Assessments : Perform regular vulnerability assessments on AWS resources using tools like AWS Inspector, Nessus, or Qualys.

- Service Hardening : Apply AWS best practices to secure services like EC2, RDS, and S3.

- Encryption : Implement encryption in transit and at rest using AWS KMS and SSL/TLS.

Infrastructure Security :

A. Cloud Security :

- Use AWS services (Security Hub, GuardDuty, CloudTrail) and GCP tools (Security Command Center, IAM) to harden cloud environments.

- Automate infrastructure deployment with Terraform or AWS CloudFormation, ensuring security best practices.

- Scan IaC using Checkov, Terrascan, or AWS Config Rules.

Application Security :

A. SAST and DAST :

- Perform SAST during development to identify vulnerabilities early.

- Conduct DAST in staging or production using tools like Burp Suite, OWASP ZAP, or AppScan.

B. Android Security :

- Test Android apps using tools like MobSF, QARK, or Drozer.

- Ensure compliance with OWASP MSTG standards.

Ethical Hacking and Ransomware Testing :

- Ransomware Simulation : Simulate ransomware attacks to test recovery capabilities and data resiliency.

- Ethical Hacking : Perform ethical hacking exercises to assess system vulnerabilities and identify potential breaches

Threat Analysis & Threat Modeling :

- Conduct regular threat analysis to evaluate potential risks to cloud infrastructure and applications.

- Create and maintain threat models for applications, services, and infrastructure to identify attack vectors and mitigation strategies.

- Use tools like Microsoft Threat Modeling Tool, OWASP Threat Dragon, or custom modeling techniques to identify and prioritize risks.

Code Scanning :

- Use Bitbucket Code Insights for integrated security scan results in PRs.

- Monitor repositories for exposed credentials or sensitive data.

- Automate IaC scanning with tools like Checkov.

CI/CD and Code Security :

A. Secure Pipelines :

- Integrate Bitbucket Pipelines with AWS services for secure deployments.

- Automate security checks at each pipeline stage :

- SAST (Static Application Security Testing) : Use tools like SonarQube.

- DAST (Dynamic Application Security Testing) : Use tools like OWASP ZAP or Burp Suite.

- Dependency scanning using tools like OWASP Dependency-Check.

- Container security scanning for Docker images.

Code Scanning :

- Use Bitbucket Code Insights for integrated security scan results in PRs.

- Monitor repositories for exposed credentials or sensitive data.

- Automate IaC scanning with tools like Checkov.

WSO2 API Manager Responsibilities :

A. API Security :

- Secure APIs with OAuth2, JWT tokens, and mutual TLS.

- Implement rate-limiting and throttling to prevent abuse.

- Integrate APIs with AWS Cognito or other identity providers for authentica

A. Monitoring :

- Use AWS CloudWatch, GuardDuty, and Bitbucket monitoring features.

- Configure proactive alerts using PagerDuty or Slack for Bitbucket Pipelines.

B. Incident Response :

- Automate incident response workflows using AWS Systems Manager or AWS Lambda.

- Conduct regular incident response drills.

AWS IAM (Identity and Access Management) :

- Policy Design : Create and enforce least privilege access policies.

- Audits : Conduct regular audits of IAM roles, groups, and policies to ensure compliance and security.

- Federated Identity : Configure and manage federated identity with external IdPs (e.g., Okta, Azure AD).

Bitbucket Roles and Responsibilities :

A. Version Control Security :

- Manage repository access using roles (Admin, Developer, Read-Only).

- Enforce branch protection rules for PR reviews.

- Secure sensitive data using Bitbucket Pipelines environment variables.

- CI/CD Pipeline Integration :

- Integrate Bitbucket Pipelines with security tools like SonarQube or Checkmarx.

- Automate dependency vulnerability checks.

- Use pre-commit hooks for code quality and security validation.

EXPERTISE AND QUALIFICATIONS :

Key Tools and Technologies :

Category :

Tools :

Compliance and Governance :

- GDPR, HIPAA, PCI DSS / AWS CloudTrail and Bitbucket Activity Logs

Vulnerability Assessment, Penetration Testing (VAPT), and Hardening :

- VAPT

Infrastructure Security :

- AWS services

Application Security :

- SAST / DAST

Ethical Hacking and Ransomware Testing :

- ransomware attacks / system vulnerabilities

Threat Analysis & Threat Modeling :

- applications, services, and infrastructure

Code Scanning :

- SonarQube, Checkmarx, OWASP ZAP

Source Control :

- Bitbucket, Git

CI/CD :

- Bitbucket Pipelines, Jenkins, GitLab CI/CD

Cloud Security :

- AWS Security Hub, GuardDuty, GCP Security

API Management :

- WSO2 API Manager, AWS API Gateway