Staff DevSecOps Engineer

Job summary

Newpage Solutions is hiring a Staff DevSecOps Engineer to lead the security engineering posture for a strategic engagement with a global pharmaceutical company. This role involves defining how secure software is built, shipped, and operated across the client's cloud estate (AWS, Azure, and GCP), with a strong emphasis on embedding security as code into every pipeline. It is a hands-on principal-level position for an engineer proficient in cloud-native engineering, regulatory compliance, and developer experience.

Benefits

Qualifications

• 8+ years of professional experience in security engineering, platform engineering, or SRE.
• At least 4 years leading DevSecOps initiatives at scale.
• Deep, current expertise with at least one major public cloud at production scale (AWS strongly preferred, with experience designing and operating multi-account environments with 50+ accounts).
• Working familiarity with at least one additional cloud beyond primary (Azure or GCP).
• Strong hands-on coding skills in at least one of Python, Go, or TypeScript.
• Fluency in infrastructure-as-code with Terraform (cloud-agnostic mastery preferred; CDK, Bicep, or Pulumi also welcome).
• Demonstrable experience embedding security into CI/CD pipelines and developer workflows for engineering organizations of 200+ developers.
• Working knowledge of Kubernetes security on at least one managed offering (EKS preferred; AKS or GKE accepted).
• Track record of operating in a regulated industry (pharma, healthcare, financial services, or critical infrastructure).
• Ability to translate compliance frameworks into engineering controls.
• Excellent written and verbal communication skills, comfortable presenting to a client CISO and pairing with a junior engineer.
• Direct experience with pharma or life-sciences workloads (GxP, 21 CFR Part 11, Annex 11, CSV/CSA, pharmacovigilance systems, or clinical data platforms) is a plus.
• Exposure to threat modeling frameworks (STRIDE, PASTA), MITRE ATT&CK, and threat-informed defense is a plus.
• Experience with policy-as-code (OPA/Rego, Cedar) and continuous compliance platforms (Wiz, Prisma Cloud, Orca, Drata, Vanta) at enterprise scale is a plus.
• Hands-on experience with secret management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager) and zero-trust networking patterns is a plus.
• Familiarity with AI/ML pipeline security and emerging risks around generative AI in regulated environments is a plus.

Responsibilities

• Lead the security engineering posture for a strategic engagement with a global pharmaceutical company.
• Define how secure software is built, shipped, and operated across the client's cloud estate (AWS, Azure, GCP).
• Partner with the client's CISO organization, Cloud Platform Team, Application Teams, and Quality and Compliance functions to embed security as code into pipelines.
• Define and own the DevSecOps reference architecture across the client's cloud estate.
• Set the multi-year roadmap for shift-left security, supply-chain integrity, runtime protection, and continuous compliance evidence collection.
• Act as the senior technical voice in client steering committees, security architecture reviews, and audit readiness sessions.
• Translate regulatory intent into engineering requirements.
• Mentor and coach Newpage and client engineers on secure coding, threat modeling, and incident response.
• Design and operate hardened, multi-account or multi-subscription landing zones with guardrails enforced as code.
• Build paved-road CI/CD pipelines with integrated SAST, DAST, SCA, secrets scanning, IaC scanning, container scanning, and SBOM generation.
• Implement policy-as-code using OPA/Rego, Checkov, and cloud-native equivalents, enforcing at pull-request time and in production.
• Operationalize cloud-native security services end-to-end.
• Lead Kubernetes and container security across managed offerings, including admission control, image signing, runtime threat detection, and Pod Security Standards enforcement.
• Drive supply-chain security to SLSA-aligned maturity: signed builds, attested artifacts, dependency provenance, and verified deploys.
• Engineer controls that satisfy GxP, 21 CFR Part 11, Annex 11, HIPAA, GDPR, and client global information security standards.
• Design continuous compliance evidence pipelines that auto-generate audit artifacts for FDA, EMA, and internal QA inspections.
• Partner with Computer System Validation (CSV) and Computer Software Assurance (CSA) teams to align DevSecOps tooling with validated-state expectations.
• Champion data protection for sensitive scientific IP, clinical trial data, and patient-adjacent datasets.
• Engineer detection-as-code and response automation in collaboration with the client SOC.
• Run blameless postmortems for security incidents and near-misses, converting lessons into durable engineering improvements.

Skills

Certifications

Languages

Industry

Relocation