Sr. DevSecOps Application Security Engineer

Life at Plume
At Plume, we believe that technology isn't about moving faster, it's about making life's moments better. Which is why we've built the world's first, and only, open and hardware-independent service delivery platform for smart homes, small businesses, enterprises, and beyond. Our SaaS platform uses WiFi, advanced AI, and machine learning to create the future of connected spaces—and human experiences—at massive scale.

We now deliver services to over 60 million locations globally and have managed over 3 billion devices on our platform. We're expanding rapidly, pioneering a new category, and we achieved our Series F funding in just four years. Our customers include many of the world's largest Internet Service Providers (ISPs) who look to Plume to help them evolve their smart home offerings while gleaning insights from their own data.

With a bias for action and a love for being trailblazers, the team at Plume embodies a combination of relentless curiosity and imaginative innovation. We challenge ourselves to think in ways that other companies don't, work to do what should be done (rather than what can), and if we can't do it exceptionally well, we don't do it. It's how we've assembled a team of world-class builders, thinkers, and doers. And it's how we're reinventing what's possible every day.

The Opportunity
Overview:
Plume is seeking a dynamic Senior DevSecOps Application Security Engineer to champion and drive their DevSecOps and Application Security initiatives—shaping secure software delivery across a fast-moving, cloud-native environment. In this role, you will own and lead development of processes, policies, automation and security tooling to streamline security in SDLC and CI/CD pipelines, working closely with software engineers, product leads, DevOps and data engineers. You'll also help with security by design and privacy by design reviews, with a goal of being an expert in product security disciplines.

Join Plume's security engineering team and contribute to protecting our mission, ensuring the integrity of our systems, and maintaining the highest standards of information security and privacy.

Key Responsibilities

• Lead the Application Security and DevSecOps domain, focusing on reducing software security risks.
• Manage Application security tools in SAST, DAST, IaC, SCA, Secrets, Leaks using your understanding of secure coding principles to guide policies.
• Run the Security Champions program using metrics to show areas of risk and show best practices to correct these risks.
• Improve the DevOps pipeline to protect cloud applications, resources and APIs.
• Implement and maintain controls within the Continuous Integration/Continuous Deployment (CI/CD) pipeline to meet necessary security standards
• Use AI and automated tools/scripts for routine security checks
• Develop and maintain security policies, procedures, and guidelines, recommending necessary changes to ensure full compliance with applicable requirements.
• Advise engineering and development teams on security best practices and design principles by using your knowledge of SaaS and IoT architecture approaches
• Enforce security policies for cloud deployments, manage centralized configurations, and monitor systems for security compliance.
• Serve as the subject matter expert (SME) for security solutions, maintaining documentation and advising on their technologies and operations.
• Collaborate with security and IT teams to identify threats and areas for improvement, creating safer software and application deployments and measuring decreased risks and issues.

Qualifications

• Bachelor's degree in Information Security, Computer Science, Computer Engineering or a related field.
• 5+ years of professional experience in Security Engineering, AppSec or DevSecOps
• 2 years experience in Cloud DevSecOps with proven experience implementing security controls within the CI/CD pipeline and/or Kubernetes.
• 1 year hands-on experience with software coding in AI agents, Python, Shell, Go, and JavaScript, and the ability to understand code/APIs for SaaS products.
• Good knowledge of public cloud architectures such as AWS, and cryptographic best practices.
• Experience with SAST, SCA DAST, container security and secure baselines.
• Understand technologies such as Teraform, Helm Charts, Jenkins, Heroku, Circle CI, GIthub Actions, Cycode and how to use those technologies to secure a dynamic deployment environment.
• Proven ability to work independently, demonstrate leadership, and influence change.
• Effective collaboration across teams and disciplines, even in highly ambiguous situations, with a track record of delivering quality results quickly.
• Strong communication, written, presentation, and interpersonal skills.
• Familiarity with security framework policies, processes, and controls, such as ISO27001, ISO27701, SOC2, NIST CSF, and CIS, is a plus.
• Certifications such as OSCP, CEH, CISSP, AWS, CIPP, CIPPT, etc., are a plus.

About Plume
As the creator of the only open, hardware-independent, cloud-controlled experience platform for ISPs and their subscribers, Plume partners with over 400 ISP customers, including some of the world's largest such as Comcast, Charter, Liberty Global, and J:COM.

Using OpenSync, the most widely supported open-source, silicon-to-cloud framework for smart spaces, Plume's software-defined network allows ISPs to decouple their service offerings from hardware and rapidly curate and deliver new services over a multi-vendor, open-platform architecture.

Plume is an equal opportunity workplace that maintains a continuing policy of nondiscrimination in all employment practices and decisions, ensuring equal employment opportunities for all qualified individuals without regard to race, color, creed, religion, sex, national origin, age, physical or mental disability, sexual orientation, gender identity, marital status, pregnancy, childbirth or related individual conditions, medical conditions (as defined by state law), military or veteran status, or any other characteristic protected by federal, state or local law.