DevSecOps Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will  provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview:
We are seeking an experienced and proactive DevSecOps Engineer to lead the development and implementation of our DevSecOps program. In this critical role, you will be responsible for integrating security best practices into our software development lifecycle (SDLC) and CI/CD pipelines. Your expertise will be instrumental in establishing robust vulnerability management, static application security testing (SAST), software composition analysis (SCA), and secrets scanning processes to proactively identify, assess, and mitigate security risks. You will work closely with development, operations, and security teams to foster a security-first culture.

Key Responsibilities:

• Develop and Implement DevSecOps Program: Design, build, and maintain a comprehensive DevSecOps program, including strategy, policies, standards, and procedures.
• CI/CD Pipeline Security: Integrate security tools and processes (SAST, DAST, SCA, secrets scanning) into CI/CD pipelines (e.g., Jenkins, GitLab CI, Azure DevOps, GitHub Actions) to ensure automated security checks at every stage of development.
• Vulnerability Management: Establish and manage a robust vulnerability management lifecycle, including identification, assessment, prioritization, remediation tracking, and reporting of vulnerabilities across applications and infrastructure.
• Static Application Security Testing (SAST): Implement, configure, and manage SAST tools to identify security flaws in source code. Work with development teams to remediate findings and provide guidance on secure coding practices.
• Software Composition Analysis (SCA): Deploy and manage SCA tools to identify and mitigate risks associated with open-source components and third-party libraries, including known vulnerabilities and license compliance issues.
• Secrets Scanning & Management: Implement and manage tools and processes for detecting and preventing secrets (API keys, passwords, certificates) leakage in code repositories, configuration files, and CI/CD pipelines. Promote secure secrets management practices.
• Security Automation: Automate security testing, monitoring, and response processes to improve efficiency and effectiveness.
• Security Champion & Training: Act as a security champion, providing guidance, training, and support to development and operations teams on secure development practices and DevSecOps principles.
• Threat Modeling: Participate in and facilitate threat modeling exercises to identify potential security risks in new and existing applications.
• Incident Response: Assist in security incident response activities, including investigation, containment, and remediation.
• Compliance and Auditing: Ensure that security practices align with industry standards and regulatory requirements. Support internal and external audits.
• Stay Current: Keep abreast of emerging security threats, vulnerabilities, and industry best practices in DevSecOps.

Required Qualifications:

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.
• 3+ years of experience in a DevSecOps, Application Security, or Security Engineering role.
• Proven experience in designing and implementing DevSecOps programs and integrating security into CI/CD pipelines.
• Hands-on experience with SAST tools (e.g., SonarQube, Checkmarx, Veracode).
• Hands-on experience with SCA tools (e.g., OWASP Dependency-Check, Snyk, Black Duck).
• Experience with secrets scanning tools (e.g., GitLeaks, TruffleHog, HashiCorp Vault).
• Strong understanding of vulnerability management principles and tools (e.g., Nessus, Qualys, OpenVAS).
• Proficiency in scripting languages (e.g., Python, Bash, PowerShell).
• Experience with containerization technologies (e.g., Docker, Kubernetes) and their security implications.
• Familiarity with cloud security principles and services (AWS, Azure, GCP).
• Excellent understanding of common web application vulnerabilities (OWASP Top 10) and mitigation techniques.
• Strong analytical and problem-solving skills.
• Excellent communication and collaboration skills, with the ability to work effectively with technical and non-technical teams.

Preferred Qualifications:

• Master's degree in Computer Science, Information Security, or a related field.
• Relevant security certifications (e.g., CISSP, CSSLP, OSCP, GIAC certifications like GCSA, GWEB, GCIH).
• Experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation).
• Experience with Dynamic Application Security Testing (DAST) tools.
• Knowledge of security frameworks and standards (e.g., NIST, ISO 27001, SOC 2).
• Experience in developing security dashboards and metrics for reporting.

Recruiter:

Please note that the compensation information that follows is a good faith estimate for this position only and is provided pursuant to acts, such as The Equal Pay Transparency Act. It assumes that the successful candidate will be located in markets within the United States that warrant the compensation listed. Candidates in locations outside this local area may have a different  starting salary range for this opportunity which may be higher or lower.  Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Sunrun provides a variety of benefits to employees, including health insurance coverage, a wellbeing program, life and disability insurance, a retirement savings plan, paid holidays, and paid time off (PTO). Other rewards may include annual bonus eligibility, based on both company and individual performance, as well as short- and long-term incentives and program-specific awards. Compensation decisions will not be based on a candidate's salary history. Please note: Employee benefits do not apply to our Fusion and Street Sales roles, which are 100% commission-based, (1099-NEC) positions.

This description sets forth the general nature and level of the qualifications and duties required of employees in this job classification, as well as some of the essential functions of this role.  It is not designed to be a comprehensive inventory of all essential duties and qualifications. If you have a disability or special need that may require reasonable accommodation in order to participate in the hiring process or to perform this role if you are offered employment, please let us know by contacting us at candidateaccomodations@sunrun.com.

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind. Our commitment to Diversity, Inclusion & Belonging drives our ability to build diverse teams and develop inclusive work environments. At Sunrun, we believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. We are committed to equal employment opportunities without consideration of race, color, religion, ethnicity, citizenship, political activity or affiliation, marital status, age, national origin, ancestry, disability, veteran status, sexual orientation, gender identity, gender expression, sex or gender, pregnancy or any other basis protected by law. We also consider qualified applicants with criminal convictions, consistent with applicable federal, state and local law.