DevSecOps (DEV01085)

Development

Mumbai

Hybrid

About Us

TimesPro strives to embody the values of Education 4.0: Learner-centric, industry-relevant, role-specific, and technology-enabled, with a goal of making learning accessible for anyone who seeks to grow.
TimesPro aims to fulfil aspirations of by making excellence accessible through learner-centric innovations and global collaborations.Established in 2013, we are the award-winning H. EdTech initiative of the Times Of India Group, catering to the learning needs of Indians with aspirations of career growth.
We offer a variety of created and curated learning programmes across a range of categories, industries, and age groups. They include employment-oriented Early Career courses across BFSI, e-Commerce, and technology sectors; Executive Education for working professionals in collaboration with premier national and global educational institutions; and Enterprise Solutions for learning and development interventions at the organisational level.
Visit us at https://www.timespro.com

Job Description

Compliance and Governance

Compliance Standards:
- Ensure adherence to GDPR, HIPAA, PCI DSS, and other standards.
- Maintain audit trails with AWS CloudTrail and Bitbucket Activity Logs.

Vulnerability Assessment, Penetration Testing (VAPT), and Hardening

Assessments: Perform regular vulnerability assessments on AWS resources using tools like AWS Inspector, Nessus, or Qualys.
Service Hardening: Apply AWS best practices to secure services like EC2, RDS, and S3.
Encryption: Implement encryption in transit and at rest using AWS KMS and SSL/TLS.

Infrastructure Security

Cloud Security:

Use AWS services (Security Hub, GuardDuty, CloudTrail) and GCP tools (Security Command Center, IAM) to harden cloud environments.
Automate infrastructure deployment with Terraform or AWS CloudFormation, ensuring security best practices.
Scan IaC using Checkov, Terrascan, or AWS Config Rules.

Application Security

SAST and DAST:
- Perform SAST during development to identify vulnerabilities early.
- Conduct DAST in staging or production using tools like Burp Suite, OWASP ZAP, or AppScan.
Android Security:
- Test Android apps using tools like MobSF, QARK, or Drozer.
- Ensure compliance with OWASP MSTG standards.

Ethical Hacking and Ransomware Testing

Ransomware Simulation: Simulate ransomware attacks to test recovery capabilities and data resiliency.
Ethical Hacking: Perform ethical hacking exercises to assess system vulnerabilities and identify potential breaches

Threat Analysis & Threat Modeling:
- Conduct regular threat analysis to evaluate potential risks to cloud infrastructure and applications.
- Create and maintain threat models for applications, services, and infrastructure to identify attack vectors and mitigation strategies.
- Use tools like Microsoft Threat Modeling Tool, OWASP Threat Dragon, or custom modeling techniques to identify and prioritize risks.
Code Scanning:

Use Bitbucket Code Insights for integrated security scan results in PRs.
Monitor repositories for exposed credentials or sensitive data.
Automate IaC scanning with tools like Checkov.

CI/CD and Code Security

Secure Pipelines:
- Integrate Bitbucket Pipelines with AWS services for secure deployments.
- Automate security checks at each pipeline stage:
  - SAST (Static Application Security Testing): Use tools like SonarQube.
  - DAST (Dynamic Application Security Testing): Use tools like OWASP ZAP or Burp Suite.
  - Dependency scanning using tools like OWASP Dependency-Check.
  - Container security scanning for Docker images.

Code Scanning:

Use Bitbucket Code Insights for integrated security scan results in PRs.
Monitor repositories for exposed credentials or sensitive data.
Automate IaC scanning with tools like Checkov.

WSO2 API Manager Responsibilities

API Security:
- Secure APIs with OAuth2, JWT tokens, and mutual TLS.
- Implement rate-limiting and throttling to prevent abuse.
- Integrate APIs with AWS Cognito or other identity providers for authentica

Monitoring and Incident Response

Monitoring:
- Use AWS CloudWatch, GuardDuty, and Bitbucket monitoring features.
- Configure proactive alerts using PagerDuty or Slack for Bitbucket Pipelines.
Incident Response:
- Automate incident response workflows using AWS Systems Manager or AWS Lambda.
- Conduct regular incident response drills.

AWS IAM (Identity and Access Management)

Policy Design: Create and enforce least privilege access policies.
Audits: Conduct regular audits of IAM roles, groups, and policies to ensure compliance and security.
Federated Identity: Configure and manage federated identity with external IdPs (e.g., Okta, Azure AD).

Bitbucket Roles and Responsibilities

Version Control Security:
- Manage repository access using roles (Admin, Developer, Read-Only).
- Enforce branch protection rules for PR reviews.
- Secure sensitive data using Bitbucket Pipelines environment variables.
CI/CD Pipeline Integration:
- Integrate Bitbucket Pipelines with security tools like SonarQube or Checkmarx.
- Automate dependency vulnerability checks.
- Use pre-commit hooks for code quality and security validation.

Job Requirement

Key Tools and Technologies

Category

Tools

Compliance and Governance

GDPR, HIPAA, PCI DSS / AWS CloudTrail and Bitbucket Activity Logs

Vulnerability Assessment, Penetration Testing (VAPT), and Hardening

VAPT

Infrastructure Security

AWS services

Application Security

SAST / DAST

Ethical Hacking and Ransomware Testing

ransomware attacks / system vulnerabilities

Threat Analysis & Threat Modeling

applications, services, and infrastructure

Code Scanning

SonarQube, Checkmarx, OWASP ZAP

Source Control

Bitbucket, Git

CI/CD

Bitbucket Pipelines, Jenkins, GitLab CI/CD

Cloud Security

AWS Security Hub, GuardDuty, GCP Security

API Management

WSO2 API Manager, AWS API Gateway