Staff DevSecOps Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will  provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview:

We are seeking a highly experienced and proactive Staff DevSecOps Engineer to lead the development and implementation of our DevSecOps program. In this critical role, you will be responsible for architecting and integrating security best practices into our software development lifecycle (SDLC) and CI/CD pipelines. Your deep expertise will be instrumental in establishing and maturing robust vulnerability management, static application security testing (SAST), software composition analysis (SCA), and secrets scanning processes to proactively identify, assess, and mitigate security risks. You will work closely with development, operations, and security teams, providing mentorship and fostering a security-first culture.

Key Responsibilities:

• Architect and Implement DevSecOps Program:Design, build, mature, and maintain a comprehensive DevSecOps program, including strategy, policies, standards, and procedures. Drive the adoption of DevSecOps practices across the organization.

• CI/CD Pipeline Security:Architect, implement, and optimize the integration of security tools and processes (SAST, DAST, SCA, secrets scanning) into CI/CD pipelines to ensure automated and effective security checks at every stage of development.

• Advanced Vulnerability Management:Lead and enhance the vulnerability management lifecycle, including advanced identification techniques, risk-based assessment, strategic prioritization, remediation tracking, and comprehensive reporting of vulnerabilities across applications and infrastructure.

• Static Application Security Testing (SAST):Implement, configure, manage, and scale SAST tools to identify security flaws in source code. Work with development teams to remediate findings and provide expert guidance on secure coding practices and architectural patterns.

• Software Composition Analysis (SCA):Deploy, manage, and optimize SCA tools to identify and mitigate risks associated with open-source components and third-party libraries, including known vulnerabilities and license compliance issues. Develop strategies for managing supply chain security.

• Secrets Scanning & Management: Implement and manage advanced tools and processes for detecting and preventing secrets (API keys, passwords, certificates) leakage in code repositories, configuration files, and CI/CD pipelines. Champion and enforce secure secrets management practices and solutions.

• Security Automation and Orchestration:Design and implement automation and orchestration for security testing, monitoring, and response processes to improve efficiency, effectiveness, and speed of remediation.

• Security Champion, Mentorship & Training:Act as a senior security champion, providing expert guidance, mentorship, training, and support to development, operations, and junior security team members on secure development practices and DevSecOps principles.

• Incident Response Leadership:Play a key role in security incident response activities, including investigation, containment, remediation, and post-mortem analysis.

• Stay Current & Innovate:Keep abreast of emerging security threats, vulnerabilities, advanced attack techniques, and industry best practices in DevSecOps. Drive innovation in security tooling and processes.

Required Qualifications:

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.

• 8+ years of progressive experience in DevSecOps, Application Security, or Security Engineering roles, with a significant portion at a senior or lead level. 

• Proven track record of designing, implementing, and leading successful DevSecOps programs and integrating security deeply into CI/CD pipelines.

• Expert-level hands-on experience with SAST tools (e.g., GHAS, Checkmarx, Veracode, Semgrep).

• Expert-level hands-on experience with SCA tools (e.g., OWASP Dependency-Check, Snyk, Black Duck, Mend).

• Extensive experience with secrets scanning tools (e.g., GitLeaks, TruffleHog, HashiCorp Vault, CyberArk).

• Deep understanding and experience with advanced vulnerability management principles and tools (e.g., Wiz, Orca, Nessus, OpenVAS).

• Proficiency in multiple scripting languages (e.g., Python, Bash, PowerShell, Go).

• Strong experience with serverless/containerization technologies (e.g., Docker, Kubernetes) and their security hardening and monitoring.

• In-depth knowledge of cloud security principles, services, and best practices (AWS, Azure, GCP).

• Expert understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and advanced mitigation techniques.

• Strong analytical, strategic thinking, and problem-solving skills.

• Excellent communication, presentation, and interpersonal skills, with the ability to influence and collaborate effectively with technical and non-technical stakeholders at all levels, including leadership.

• Demonstrated experience mentoring and leading junior engineers.

Preferred Qualifications:

• Master's degree in Computer Science, Information Security, or a related field.

• Relevant advanced security certifications (e.g., CISSP-ISSAP/ISSEP, CSSLP, OSCP, OSCE, GIAC certifications like GCSA, GWEB, GCIH, GDSA).

• Extensive experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation, Pulumi) and tools like Terrascan, Checkov.

• Experience with Dynamic Application Security Testing (DAST) tools and IAST.

• Experience in developing and presenting security dashboards and metrics to executive leadership.

• Published security research or contributions to open-source security projects.

Recruiter:

Please note that the compensation information is made in good faith for this position only.  It assumes that the successful candidate will be located in markets within the United States that warrant the compensation.  Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Compensation decisions will not be based on a candidate's salary history. You can learn more here.

This job description outlines the primary responsibilities, some essential job functions, and qualifications for the role. It may not include all essential functions, tasks, or requirements. If you are a qualified individual with a disability and you need reasonable accommodation during the hiring process or to perform this role, please contact us at candidateaccommodations@sunrun.com.

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind.  We believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. Learn more here: EEO | Sunrun