Principal DevSecOps Engineer
Job Description
We are looking for a highly skilled AppSec Engineer to join our team. In this role, you will be responsible for designing, implementing, and maintaining software security capabilities for Carnival’s global brands. The role will report into the GISCS organization, and the Global Application Security team specifically. You will work closely with development and operations teams across multiple brands to advance a security culture that empowers Carnival to produce features and digital experiences that delight our guests while safeguarding the interests of both Carnival Corporation and our customers.
Essential Functions:
- Design, implement and maintain secure, reusable DevOps pipelines for brand development teams, that align with Carnival global application security standards.
- Develop and maintain cloud infrastructure using modern techniques like infrastructure as code (IaC) to host Application Security capabilities for consumption by brand teams.
- Lead security-focused projects, including the development of new API-driven automations to provide self-service security capabilities to software teams across the company, including Static Analysis, Dynamic Analysis.
- Create and automate new governance processes and controls to ensure that application security activities are being carried out and are done so easily by software development teams.
- Work with development teams to ensure that security is built into the SDLC and that all code is secure by design.
- Contribute high-quality code to software projects in a hands-on manner.
- Collaborate with cross-functional teams, including product management, to define and deliver on product roadmaps.
- Spearhead the evaluation, selection, and implementation of cutting-edge security tools and technologies.
- Program, engineer, implement, and administer IT Security technical control and tools to assess vulnerabilities, misconfigurations and incidents.
- Develop and maintain relationships with 3rd party vendors responsible for providing technology services, tools, and consulting.
- Perform security reviews of deployments to ensure they meet relevant policies, standards, and guidelines.
- Create and distribute security reports to required business and IT units, including vulnerability reports for tracking of remediation.
- Provide mentorship and guidance to other team members, fostering an environment of continuous learning and development.
- Response to escalations and other priorities as required, may require afterhours engagement as needed.
- Other projects and duties as assigned (e.g., assisting brand teams with incident response and remediation).
Qualifications:
Required Years and Area of Professional Experience:
• 8-10+ years’ experience within DevOPs, DevSecOPs roles.
• 7+ years hands on experience with Cloud Service Providers (AWS heavily preferred).
• 7+ years hands on experience with Infrastructure as Code (Terraform preferred).
Knowledge, Skills & Abilities:
- Extensive experience with DevOps tools such as Git, Jenkins, Ansible, and Terraform.
- Strong experience with DevSecOps practices, including automation of SAST, DAST, IAST, MAST along with threat modeling, code peer reviews, security remediation and security monitoring/incident response enablement.
- Extensive understanding of DevOps and Agile methodologies.
- Extensive hands-on experience using APIs to query RESTful services and integrate third party services.
- Strong experience programming using one or more of the following: Java, Java Spring Boot, Python, or C/C++.
- Extensive experience with security automation and scripting with languages like Python, Go, or Bash.
- Extensive hands-on skills and experience with container technologies like Kubernetes, Docker, and Rancher.
- Experience with security automation, security log review and analysis, threat analysis tools.
- Extensive experience with CI/CD - Deployment pipelines, and automated build and configuration tools such as GitLab, Jenkins, Ansible, and Terraform
- Background in Linux operating systems.
- Extensive hands-on knowledge of cloud security controls involving tenant isolation, encryption at rest, encryption in transit, and secrets management (Hashicorp preferred).
- Proven track record of taking ownership of strategic initiatives and driving results in complex environments.
- Demonstrated ability to manage multiple workstreams simultaneously.
- Ability to work in a fast-paced setting.
- Proven success in contributing to a team-oriented environment.
- Proven ability to work creatively and analytically in a problem-solving environment.
- Excellent communication (written and oral) and interpersonal skills
Decision-Making:
- Strategic: Decisions affect the long-term direction and policy of the entire company. These decisions affect the short-term and long-term performance of CCL. Strategic decisions are high-risk because their outcomes are largely unknown and have a huge impact. These types of decisions are usually made at the top level of a company. Examples are: New services, acquisitions.
- Tactical: Decisions focus on intermediate-term issues. The purpose of decisions made at this level are to help move CCL closer to reaching strategic goals. Outcomes are predictable. After a decision is made by Top Executive Leadership, the next phase is to take the needed steps to implement it. Examples are: The amount of money required to implement, which advertising agency to promote a new service or to provide an incentive plan to employees to encourage increased revenue.
- Operational: Decisions focus on day-to-day activities within the company. Decisions made at this level help to ensure that daily activities proceed smoothly and therefore help to move the company toward reaching a strategic goal. They have short term consequences. Examples are: Handling employee conflicts, purchasing materials needed for operations.
- Standard: These decisions are those that are repetitive decisions on a recurring basis and are commonly related to daily activities. They are relatively simple, relying on historical data and previous solutions. Examples are: reordering of standard office supplies, handling transactions.
Physical Demands: Must be able to remain in a stationary position at a desk and/or computer for extended periods of time.
Travel: No travel.
Work Conditions: Work primarily in a climate-controlled environment with minimal safety/health hazard potential.
The range for this role’s salary rate is $93,580-$145,000. Offers to the selected candidates will be made on a fair and equitable basis, taking into account specific job-related skills and experience.
At Carnival, your total rewards package is much more than your base salary. All non-sales roles participate in an annual cash bonus program, while sales roles have an incentive plan. Director and above roles may also be eligible to participate in Carnival’s discretionary equity incentive plan. Plus, Carnival provides comprehensive and innovative benefits to meet your needs, including:
- Health Benefits:
- Cost-effective medical, dental and vision plans
- Employee Assistance Program and other mental health resources
- Additional programs include company paid term life insurance and disability coverage
- Financial Benefits:
- 401(k) plan that includes a company match
- Employee Stock Purchase plan
- Paid Time Off
- Holidays – All full-time and part-time with benefits employees receive days off for 7 company-wide holidays, plus an additional floating holiday to be taken at the employee’s discretion.
- Vacation Time – All full-time employees at the manager and below level start with 14 days/year; director and above level start with 19 days/year. Part-time with benefits employees receive time off based on the number of hours they work, with a minimum of 84 hours/year. All employees gain additional vacation time with further tenure.
- Sick Time – All full-time employees receive 80 hours of sick time each year. Part-time with benefits employees receive time off based on the number of hours they work, with a minimum of 60 hours each year.
- Other Benefits
- Complementary stand-by cruises, employee discounts on confirmed cruises, plus special rates for family and friends
- Personal and professional learning and development resources including tuition reimbursement
- On-site preschool program and wellness center at our Miami campus
#LI-RM1
#LI-Remote
About Us
- A comprehensive benefit program which includes medical, dental and vision plans
- Additional programs include company paid term life insurance and disability coverage and a 401(k) plan that includes a company match
- Employee Stock Purchase plan
- Paid vacation and sick time
- Cruise benefits
- An on-site fully accredited preschool educational program located at our Doral campus
- An on-site Wellness Center and Health clinic at our Doral campus