Mid-Level DevSecOps Engineer

Mid-Level DevSecOps Engineer | Financial Services Security

Our Way of Being and Doing

The Appmax team is composed of hands-on individuals who prioritize grit and collaboration. We strive daily to help digital entrepreneurs sell more efficiently and easily. We are inspired by our clients and are here to serve them by providing tools that maximize their results. If you want to participate in this journey, join us!

The Site Reliability Engineering (SRE) area ensures high availability and reliability of systems and services, continuously improving infrastructure and operations processes. We work closely with development teams to integrate software engineering practices with operationality, promoting effective software delivery aligned with business objectives.

This role requires a focus on Information Security (DevSecOps) with experience in regulated financial environments (e.g., Bacen, PCI DSS, others).

We seek an individual passionate about working with Cloud Native architectures, Open Source tools, and the SRE world, who is committed to continuous development and learning (lifelong learning), working on innovative projects with high impact in the digital financial market.

Key Responsibilities

• Assist in developing security automations, tools, and features.
• Perform static code review (Secure Code Review), both manual and automated, using approved tools in languages including PHP, Go, Python, and JavaScript.
• Support internal and external information security audits (Bacen, PCI DSS), aiding in evidence collection, control analysis, and meeting regulatory requirements.
• Execute proof of concepts for identified vulnerabilities.
• Elaborate security documentation and guidelines, considering Central Bank regulatory requirements and best practices.
• Identify technical debt and propose solutions.
• Analyze and approve firewall rules.
• Administer AWS cloud environments, with a focus on security.
• Support periodic review processes for sensitive access and permissions across cloud environments, applications, and pipelines.
• Identify and correct excessive privileges, adhering to security best practices and regulatory requirements.
• Create and maintain detailed documentation on infrastructure and operational processes, providing training to team members.
• Help disseminate knowledge and best practices across teams.
• Act in incident management and response, collaborating with other teams to minimize user impact.
• Support the maintenance of security controls required by regulatory standards, tracking action plans and corrections identified in audits.
• Work with other teams to improve the overall reliability of Appmax systems.
• Support the implementation and evolution of security pipelines in Infrastructure as Code (IaC), including validations, scanners, and automatic controls in CI/CD flows.
• Contribute to the integration of security tools into pipelines, promoting shift-left security practices.
• Create and maintain dashboards and reports to communicate system status to stakeholders.
• Support continuous data leakage protection initiatives, including monitoring, sensitive information classification, and application of security controls.
• Act in identifying risks related to sensitive data exposure in applications, pipelines, and cloud environments.
• Act in continuous vulnerability management, tracking discovery, prioritization, correction, and validation, independent of formal audit cycles.
• Support risk analysis associated with vulnerabilities, collaborating with technical teams to define correction plans.
• Support the definition, validation, and testing of Disaster Recovery and service continuity plans, considering security and regulatory requirements.
• Analyze risks of unavailability and impact on information security in failure scenarios.
• Act in the implementation and evolution of security automations, supporting deployment, monitoring, and troubleshooting processes.
• Implement DevOps and CI/CD practices with a focus on security and compliance.

Required Skills & Experience

• Strong practical foundation in security protocols and mechanisms.
• Ability to support audit and compliance processes, including evidence collection.
• Fundamentals of application and API security (OWASP Top 10).
• Understanding of regulatory requirements and compliance (LGPD, PCI DSS, and Bacen regulations/standards).
• Knowledge of OWASP SAMM methodology and secure development practices.
• Familiarity with vulnerability and risk management concepts.
• Practical knowledge of security controls in cloud environments (preferably AWS).
• Understanding of security in CI/CD pipelines and automation.
• Experience with access and permission control (RBAC).
• Application security and incident mitigation in WAF.
• Knowledge of concepts such as ISO 27k, CWE, CVSS, CVE, MITRE ATT&CK, EDR, and MDR.
• Intermediate experience in cloud environments (AWS).
• Experience in corporate environments with Windows and Linux servers.

Preferred Qualifications (Differentiators)

• Previous experience in the financial sector, especially with institutions regulated by Bacen.
• Knowledge of RSFN operation, secure communication, and ICP-Brasil certifications.
• Experience with messaging integrations and communication via RSFN.
• Practical level ISO 27001 / 27k implementation.
• Experience with Kubernetes (EKS) and observability tools (Elastic Search, Zabbix, New Relic, CloudWatch).
• Proficiency in Automation and IaC (Ansible, Terraform).
• Programming & scripting skills (Python and/or Shellscript).
• Relevant Certifications (AWS, Kubernetes, Terraform, FinOps, CompTIA Security+, CISSP, CISM).
• Experience with RBAC in complex environments (Kubernetes, pipelines, internal services).
• Advanced DevSecOps practices (shift-left, security as code, threat modeling).
• Higher Education in progress or completed in IT or related areas.
• Experience in multi-account environments (AWS).

Benefits

• All necessary equipment and resources for work (in-person, hybrid, or remote model).
• Cost assistance for expenses for those working hybrid or remote.
• Flexfood (allowing choice between meal or grocery benefits).
• Health and Dental Plan.
• Wellhub, Avus, Starbem, Pharmacy agreement, Transportation voucher, Life insurance.
• Upmaxter program to assist with studies.
• An environment that encourages development and high performance with monthly performance checkpoints, 1:1 practices, continuous feedback routines, and Individual Development Plan (PDI) tracking.