DevSecOps Engineer

Job Description

<h3>Job Description</h3><p>Job Description<p><p><p><strong>Who We Are:</strong></p><p>Alpaca is a US-headquartered self-clearing broker-dealer and brokerage infrastructure for stocks, ETFs, options, crypto, fixed income, 24/5 trading, and more. Our recent Series D funding round brought our total investment to over $320 million, fueling our ambitious vision.</p><p>Amongst our subsidiaries, Alpaca is a licensed financial services company, serving hundreds of financial institutions across 40 countries with our institutional-grade APIs. This includes broker-dealers, investment advisors, wealth managers, hedge funds, and crypto exchanges, totalling over 9 million brokerage accounts.</p><p>Our global team is a diverse group of experienced engineers, traders, and brokerage professionals who are working to achieve our mission of <strong>opening financial services to everyone on the planet</strong>. We&#39;re deeply committed to open-source contributions and fostering a vibrant community, continuously enhancing our award-winning, developer-friendly API and the robust infrastructure behind it.</p><p>Alpaca is proudly backed by top-tier global investors, including Portage Ventures, Spark Capital, Tribe Capital, Social Leverage, Horizons Ventures, Unbound, SBI Group, Derayah Financial, Elefund, and Y Combinator.</p><p></p><p><strong>Our Team Members:</strong></p><p>We&#39;re a dynamic team of 230+ globally distributed members who thrive working from our favorite places around the world, with teammates spanning the USA, Canada, Japan, Hungary, Nigeria, Brazil, the UK, and beyond!<br><br>We&#39;re searching for passionate individuals eager to contribute to Alpaca&#39;s rapid growth. If you align with our core values—Stay Curious, Have Empathy, and Be Accountable—and are ready to make a significant impact, we encourage you to apply.</p></p><p><strong>Your Role:</strong></p><p>We are seeking a DevSecOps Engineer to own the intersection of security, reliability, and DevOps. This role will design and implement resiliency across our cloud platform and CI/CD pipelines, embed "security as code," help lead incident response for high-severity outages, and partner with engineering teams to enable safe, fast delivery at scale. </p><p>You will be hands-on and strategic: automating remediation, hardening deployments, owning observability, and driving measurable reductions in security/infra related incident impact. This role reports to the CISO, with a dotted line into Engineering and works closely with DevOps, Product, and Engineering leadership.</p><p>The Security Team is 100% distributed and remote. </p><p></p><p><strong>Things You Get To Do:</strong></p><p>The core responsibilities of the DevSecOps Engineer role are focused on embedding security throughout our infrastructure and software development lifecycle, enhancing cyber resilience, and driving a strong security culture.</p><p><strong>Security Engineering & Automation:</strong></p><ul><li><strong>Secure SDLC Integration:</strong> Embed security into CI/CD pipelines by implementing and owning secure controls, including Infrastructure as Code (IaC) scanning, Software Composition Analysis (SCA), secrets checks, policy-as-code, and deployment guardrails.</li><li><strong>Vulnerability Management:</strong> Lead the process of vulnerability and patch management, automating discovery, prioritization, and remediation across all cloud workloads and their dependencies.</li><li><strong>Platform Hardening:</strong> Strengthen cloud and Kubernetes environments through secure configurations, network segmentation, workload identity management, and automated compliance against industry standards (e.g., CSA Star).</li><li><strong>Supply Chain Security:</strong> Advance the security of the software supply chain, focusing on generating Software Bill of Materials (SBOMs), artifact signing, dependency governance, and implementing integrity controls.</li><li><strong>Secure Patterns:</strong> Create secure "paved roads" for developers, providing hardened IaC modules, templates, tooling, and comprehensive documentation.</li></ul><p><strong>Resilience, Detection, and Response:</strong></p><ul><li><strong>Cyber Resilience:</strong> Own and validate cyber-resiliency standards (secure failover, secure backups, Disaster Recovery playbooks) through secure rehearsals to ensure both the availability and integrity of systems and data</li><li><strong>Security Deployment:</strong> Develop secure deployment patterns, such as canary rollouts, automated safe rollbacks, and guardrails to minimize blast radius</li><li><strong>Detection & Forensics:</strong> Improve detection and response capabilities by building high-signal alerts, enhancing forensic logging, and providing robust security telemetry. Partner with the SecOps team on incident handling</li><li><strong>Offensive Security:</strong> Alongside the Security team, help manage offensive security engagements (penetration testing, red team, bug bounty) and ensure findings are fed directly into remediation pipelines and risk prioritization</li></ul><p><strong>Architecture, Identity, and Governance:</strong></p><ul><li><strong>Design & Threat Modeling:</strong> Conduct security reviews and threat modeling for all new services and major architecture changes to ensure designs are secure-by-default</li><li><strong>Identity & Access Management (IAM):</strong> Strengthen the identity and access model by enforcing the principle of least privilege, strong authentication, and secure secrets lifecycle management</li><li><strong>Compliance & Audit:</strong> Support compliance and audit readiness by operationalizing security controls, producing necessary evidence, and maintaining the health of these controls</li></ul><p><strong>Leadership & Culture:</strong></p><ul><li><strong>Security Champion:</strong> Champion a strong security culture by partnering with DevOps and Engineering teams to uplift secure coding practices and guide risk-based decision-making</li><li><strong>Metrics & Reporting:</strong> Define key security performance indicators (KPIs) such as time to detect, time to remediate, exposure scores, and percentage of infrastructure covered by automated controls, and report measurable improvements to leadership</li></ul><p></p><p></p><p><strong>Who You Are (Must-Haves):</strong></p><ul><li>Excited about Alpaca&#39;s mission and what we&#39;re building</li><li>5+ years of experience across DevSecOps, security engineering, or cloud security in a modern cloud-native environment</li><li>Strong hands-on experience with CSPs, Kubernetes, Terraform, and container security</li><li>Deep understanding of secure CI/CD, including IaC security, dependency/SCA, secrets scanning, and policy-as-code</li><li>Solid background in identity & access security</li><li>Experience automating vulnerability management and patching workflows across cloud and container ecosystems</li><li>Strong familiarity with detection engineering, logging/telemetry, and partnering in incident response</li><li>Proficient in a <span >scripting/programming</span> language (Python, Go, or similar) for automation and security tooling</li><li>Comfortable working cross-functionally with DevOps and Engineering teams, explaining risk in practical terms, and influencing secure design</li><li>Comfortable participating in on-call rotations<strong> </strong></li></ul><p></p><p><strong>Who You Might Be</strong> (<strong>Nice-to-Haves): </strong></p><ul><li>Experience securing financial, trading, or other highly regulated platforms</li><li>Knowledge of regulatory frameworks common in fintech (SOC 2, ISO 27001, PCI)</li><li>Experience with supply-chain security (SBOMs, Sigstore, artifact signing) or software integrity programs</li><li>Familiarity with offensive security, bug bounty triage, or penetration testing</li><li>Security or cloud certifications (CISSP, OSCP, GIAC, GCP/AWS Security)</li><li>Bachelor&#39;s degree in Computer Science, Information Security, or equivalent experience.</li><li>Business acumen to be able to balance tradeoffs between stakeholders and technology feasibility and budget constraints</li></ul><p><strong>How We Take Care of You:</strong><ul><li>Competitive Salary & Stock Options</li><li>Health Benefits</li><li>New Hire Home-Office Setup: One-time USD $500</li><li>Monthly Stipend: USD $150 per month via a Brex Card</li></ul><p><em>Alpaca is proud to be an equal opportunity workplace dedicated to pursuing and hiring a diverse workforce.<br /></em></p><p><em>Recruitment Privacy Policy</em></p></p></p></p>