DevSecOps Engineer
TrueML
Description
Why TrueML?
TrueML is a mission-driven financial software company that aims to create better customer experiences for distressed borrowers. Consumers today want personal, digital-first experiences that align with their lifestyles, especially when it comes to managing finances. TrueMLâs approach uses machine learning to engage each customer digitally and adjust strategies in real time in response to their interactions.
The TrueML team includes inspired data scientists, financial services industry experts and customer experience fanatics building technology to serve people in a way that recognizes their unique needs and preferences as human beings and endeavoring toward ensuring nobody gets locked out of the financial system.
\nPosition Summary
We are seeking a Sr. Security Engineer to lead the integration of security across the software
development lifecycle (SDLC). This role sits at the intersection of engineering, cloud infrastructure, and
application security, driving automation, scalability, and secure-by-default development practices.
You will design and implement security-first CI/CD pipelines, embed automated security testing, and
partner with engineering teams to ensure applications are built, deployed, and operated securelyâat
scale
Key Responsibilities
Security Automation & CI/CD Integration (Core Focus)
⢠Embed security controls and scanners (SAST, SCA, DAST, IaC, Container Security) into CI/CD
pipelines
(GitHub Actions, Jenkins, GitLab CI, Azure DevOps)
⢠Design and maintain automated security workflows across build, test, and deploy stages
⢠Implement security gates, policy enforcement, and compliance checks within pipelines
Cloud Security (AWS Focus)
⢠Secure cloud-native architectures across AWS (IAM, VPC, ECS/EKS, Lambda, S3, API Gateway)
⢠Integrate and operationalize CNAPP/CSPM tools (e.g., Wiz, Prisma Cloud)
⢠Enforce least privilege access, secrets management, and runtime protections
- An Experienced Defender: You bring 7-10 years in software engineering, DevOps, or cloud engineering. 3+ years in a DevSecOps focused role and a deep mastery of cloud security, vulnerability analysis, and incident response.
- A Cloud Specialist: You have demonstrable expertise in the AWS ecosystem and are highly proficient in securing Infrastructure as Code (Terraform) and containerized environments.
- Certified and Credentialed: You hold top-tier industry certifications (such as CISSP, SANS GIAC, or CASP) and have a firm grasp of compliance frameworks like PCI and ISO 27001.
- Technically Versatile: You are familiar with OWASP, proficient with modern security tooling, and have the ability to secure complex API integrations and data protection layers.
- AI-Aware: You understand the evolving landscape of AI regulations and have the technical curiosity to investigate how threat actors use AI to bypass traditional controls.
- A Strategic Partner: You are a natural collaborator who can translate complex InfoSec projects into simple, maintainable tasks for Engineering teams.
- An Elite Communicator: You can propose strategic methodologies
Tags
Apply for this Position
About TrueML
Company hiring for Engineering Manager Data Platform
Job Stats
Hiring Across Borders?
Interview Prep Guide
Preparation Strategy
To prepare for this role, focus on reviewing cloud security concepts, including IAM, VPC, ECS/EKS, Lambda, and S3. Practice explaining technical security concepts and designing secure architectures. Review the company's technology stack and values, and be prepared to discuss your experience with security automation, CI/CD pipelines, and cloud security. Use online resources such as AWS documentation, Cloud Security Alliance, and DevSecOps communities to stay current with the latest security threats and technologies.
Likely Interview Rounds
- 1. Screening call~30 min
What to prep: Review the company's technology stack, including AWS and cloud security tools. Be prepared to discuss your experience with security automation, CI/CD pipelines, and cloud security.
- What experience do you have with DevSecOps and cloud security?
- Can you describe your experience with AWS and cloud-native architectures?
- How do you stay current with the latest security threats and technologies?
- 2. Technical~60 min
What to prep: Review cloud security concepts, including IAM, VPC, ECS/EKS, Lambda, and S3. Practice explaining technical security concepts and designing secure architectures.
- How would you design a secure CI/CD pipeline for a cloud-based application?
- What security controls would you implement for a containerized workload on AWS?
- Can you explain the difference between SAST, SCA, and DAST?
- 3. System design~60 min
What to prep: Review system design principles, including scalability, availability, and security. Practice designing secure cloud-based architectures and explaining technical security concepts.
- Design a secure cloud-based architecture for a machine learning application.
- How would you implement least privilege access and secrets management in an AWS environment?
- Can you describe a secure approach to deploying and managing serverless functions on AWS?
- 4. Behavioral~60 min
What to prep: Review the company's values and mission. Practice explaining your experience and skills in a behavioral format, using the STAR method to structure your responses.
- Can you describe a time when you had to communicate complex security concepts to a non-technical team?
- How do you handle conflicting priorities and tight deadlines in a DevSecOps role?
- Tell me about a project you worked on that involved implementing security automation and CI/CD pipelines.
Most Likely Questions
- What experience do you have with DevSecOps and cloud security?
- Can you describe your experience with AWS and cloud-native architectures?
- How do you stay current with the latest security threats and technologies?
- How would you design a secure CI/CD pipeline for a cloud-based application?
- What security controls would you implement for a containerized workload on AWS?
Common Pitfalls
- Lack of experience with cloud security and DevSecOps
- Insufficient knowledge of AWS and cloud-native architectures
- Inability to communicate complex security concepts to non-technical teams
Free Prep Resources
- • AWS Documentation
- • Cloud Security Alliance
- • DevSecOps communities
- • OWASP
- • SANS Institute