Job Description
Work Schedule
First Shift (Days)Environmental Conditions
OfficeJob Description
ThermoFisher Scientific Inc. (NYSE: TMO) is the world leader in serving science, withrevenues of more than$20 billionand approximately 65,000 employees globally. Our mission is to enable our customers to make the world healthier,cleanerand safer. We help our customers accelerate life sciences research, solve complex analytical challenges, improve patient diagnostics, deliver medicines tomarketand increase laboratory productivity. Through our premier brands –ThermoScientific, Applied Biosystems, Invitrogen, FisherScientificand Unity Lab Services – we offer an unmatched combination of innovative technologies,purchasingconvenience and comprehensive services
The Position
We are seeking aDevSecOpsEngineer to integrate security practices into our DevOps processes, ensuring that applications and infrastructure are secure by design. This role focuses on embedding security controls across the CI/CD pipeline, enabling secure software delivery whilemaintainingdevelopment velocity.
You will work closely with development, QA, DevOps, and security teams toidentifyrisks, implement automated security checks, and enforce best practices across the software development lifecycle. The role requires a proactive mindset to continuously improve security posture in complex, distributed environments
Key responsibilitiesinclude, but are not exclusively:
Design, implement, and maintain secure CI/CD pipelines using Jenkins and GitLab, ensuring integration of security controls throughout the software delivery lifecycle
Implement and manage automated SBOM generation (CycloneDX, SPDX) within CI/CD pipelines, ensuring accuracy and completeness of metadata
Integrate SBOM data with vulnerability management platforms (e.g., Dependency-Track) to enable continuous monitoring of third-party risks
Support compliance with cybersecurity regulations and standards (including Executive Order 14028), translating requirements into enforceable technical controlsandpreparation for EU CRA.
Implement and manage vulnerability tracking and remediation workflows using tools such asDefectDojo
Establish and enforce software supply chain security practices, including governance of third-party and open-source components
Manage andmaintainartifact repositories, ensuring proper classification of internal vs. external packages and secure usage of package sources (NuGet, Conan, Sky)
Implement and enforce software license compliance, including automated license scanning and validation using SPDX identifiers
Design andmaintainsecure, isolated, or controlled build environments to ensure integrity of the software build process
Integrate static code analysis and security scanning tools (e.g.,SonarQube, TICSandCodeQL) into CI/CD pipelines
Develop andmaintainautomation scripts (Python, PowerShell) to support security processes and pipeline efficiency
Secure containerized environments (Docker, Kubernetes), including image hardening, access control (RBAC), and vulnerability scanning
Collaborate with infrastructure teams to ensure VMware environments are hardened and aligned with security best practices
Apply Secure Software Development Lifecycle (SSDLC) practices across development teams, embedding security early in the process
Define, implement, and enforce security policies, standards, and compliance controls across development and DevOps workflows
Collaborate closely with development, QA, and DevOps teams to remediate vulnerabilities and improve secure coding practices
Support audit and compliance activities bymaintainingdocumentation, traceability, and evidence in tools such as Confluence
Proven experience in supporting teams performing OWASP threat modeling
Participate in Agile processes using Jira, contributing to sprint planning, backlog refinement, and continuous improvement initiatives
Work within Scrum, Kanban, and scaled Agile (ART) environments, collaborating with cross-ART teams to align on shared security practices
Perform risk assessments and proactivelyidentifysecurity gaps, proposing and implementing mitigation strategies
Continuously improveDevSecOpstooling, processes, and practices to enhance security posture withoutimpactingdelivery speed
Requirements:
The ideal candidate combines strong DevOpsexpertisewith deep knowledge of application security,
softwaresupply chainsecurity, andregulatory compliance, and thrives in complex, highly regulated environments.
University degree in Computer Science, Cybersecurity, Software Engineering, or a related technical discipline
8+ years ofStrong experience designing, implementing, and maintaining secure CI/CD pipelines using Jenkins and GitLab
Mandatory hands-on experience implementing Software Bill of Materials (SBOM) generation within CI/CD pipelines (CycloneDX, SPDX formats), including metadata collection and validation
Experience integrating SBOMs with vulnerability management platforms such as Dependency-Track or equivalent tools
Hands-on experience with vulnerability management and tracking tools (e.g.,DefectDojoor similar), including remediation workflows
Strong understanding of software supply chain security, including governance of third-party and open-source components
Experience managing artifact repositories and package ecosystems, including NuGet, Conan, and internal repositories (e.g., Sky), with clear understanding of internal vs. external package classification
Strong knowledge of software license management, SPDX license identifiers, and automated license compliance enforcement
Experience integrating static code analysis and security scanning tools (e.g., SonarQube, TICS,CodeQL) into CI/CD pipelines
Hands-on experience designing andmaintainingsecure, isolated, or controlled build environments
Strong scripting and automation skills using Python and/or PowerShell
Experience securing containerized environments using Docker and Kubernetes, including image hardening, RBAC, and vulnerability scanning
Strong understanding of VMware infrastructure security and system hardening best practices
Solid understanding and practical application of Secure Software Development Lifecycle (SSDLC) principles
Experience defining, implementing, and enforcing security policies, standards, and compliance controls across development and DevOps processes
Experience supporting compliance with cybersecurity regulations and standards (e.g., Executive Order 14028, EU Cyber Resilience Act) and translating them into technical implementations
Familiarity with OWASP practices, including supporting or contributing to threat modeling activities
Experience working in audit-driven and regulated environments, with ability to produce documentation, traceability, and compliance evidence (e.g., via Confluence)
Experience working in Agile environments using Jira, including Scrum, Kanban, and scaled Agile frameworks (ART)
Strong analytical, risk assessment, and problem-solving skills, with the ability toidentifyvulnerabilities and propose effective mitigation strategies
Proven ability to collaborate effectively with development, QA, DevOps, and infrastructure teams to drive secure development practices
Strong communicationskills, with the ability to translate security and regulatory requirements into actionable technical solutions
Fluent in English (B2 level or higher)