SENIOR DEVSECOPS ENGINEER  

(In Office Draper Utah) 

JOB PURPOSE 

As an information security DevSecOps Engineer on the Upbound Information Security team, you will be a vital member of a technical and hands-on security team supporting Upbound’s product offerings and the cloud infrastructure/services used. You will be a member of the Cloud and Application security team which is responsible for designing, deploying, implementing, automating, and operationalizing all aspects of application and cloud security for all business units across the enterprise.  

The DevSecOps engineer will work closely with DevOps Engineers and Application Developers to build a strong and scalable security program. You will focus on securing an enterprise multi-cloud environment where you will write sound policy and standards and build automation to support your mission of enabling engineers to operate securely by default.  

This position will work closely with the application security engineers and other security engineers to impact the entire engineering organization. You will perform hands-on work with all layers and pieces of the technology stack and actively monitor our systems for attacks and intrusions in both on-prem and cloud environments. You will utilize your experience to own and resolve complex security incidents, implement security toolsets as well as automate and operationalize these toolsets to maximize our risk management capabilities. You will address policy questions and resolve security issues of a technical nature and will work with our software engineers to proactively identify and fix security flaws and vulnerabilities in our production environments.  

ABOUT UPBOUND 

 

Upbound Group, Inc. (effective February 27, 2023: NASDAQ: UPBD) is an omni-channel platform company committed to elevating financial opportunity for all through innovative, inclusive, and technology-driven financial solutions that address the evolving needs and aspirations of consumers. The Company’s customer-facing operating units include industry-leading brands such as Rent-A-Center and Acima that facilitate consumer transactions across a wide range of store-based and digital retail channels, including over 2,400 company branded retail units across the United States, Mexico and Puerto Rico. Upbound Group, Inc. is headquartered in Plano, Texas. Acima is headquartered in Draper Utah. 

 

RESPONSIBILITIES 

Drive the development, implementation, installation, and operationalization of information security toolsets, platforms, infrastructure, and services used to monitor and protect our team and business units. Such platforms and services could include: Code analysis (SAST/DAST/IAST) toolsets, vulnerability management for containers and cloud platforms, Log management/SIEM and security monitoring & detection, etc.  Monitor and remediate cloud misconfigurations and monitor a multi-cloud environment for intrusions and indicators of compromise.  Ensure the systems and platforms in our purview are integrated with the appropriate log management and performance monitoring capabilities and that alerting and automation processes are in place to address issues.  Conduct technical, operational, and security/risk evaluations to identify coverage gaps in existing information security controls, corporate and production infrastructure, architecture, and processes. With your findings, propose suitable mitigations or compensating controls that address the concerns that fit the cultural and business needs of the team and organization.  Respond to and investigate security incidents. Coordinate with leadership and Acima’s security operations team regarding findings and mitigations.  Work with and support our Application Security Engineers' efforts to secure the product offering and the cloud platforms used to deliver the offering. 

 

QUALIFICATIONS 

 

Bachelor's degree, a combination of experience and/or an associate’s degree, or an equivalent combination of education, training, and work or volunteer experience. Having (or planning to have) information security and cloud-related technology certifications are a plus.    Securing public facing and consumer focused SaaS applications  Security concepts in AWS and security tools such as Inspector, GuardDuty, Macie, Config, CloudFormation, CloudWatch, CloudTrail, Trusted Advisor, WAF, etc., while familiar with third-party alternatives (and when it is beneficial to use them).  Writing and understanding infrastructure as code such as Terraform and AWS Cloud Formation.  Scripting and automation using Python or similar languages.  Implementing, Integrating, and tuning network and cloud security infrastructure, applications (web and mobile), as well as security tools and platforms, and the automation to operationalize them.  Integrating security in the continuous integration, continuous delivery, and continuous deployment (CI/CD) pipeline for Networking as code and Infrastructure as code (running unit tests, running security tools, managing secrets and using tools such as Vault). You should also understand how to use configuration management and automation tools such as Jenkins, Ansible, etc.  Monitoring, evaluating, and interpreting vulnerabilities/CVEs, risk, and security assessments, cloud platform/system/device/IDS/IPS logs, threat analysis and malware.  Excellent oral and written communications skills for working with a diverse professional clientele with varying levels of technical expertise. Ability to interact with internal and external customers, leadership, and co-workers in person, virtually, and in writing.  Researching highly technical topics and deriving logical conclusions using well-thought-out processes, eliminating bias and logical fallacies.  Combining information from various sources into clear, concise technical documents that explain the background and procedures for detecting and mitigating risk. 

 

You should have an understanding of: 

 

Information security architecture, mitigation of threats, and compensating controls.  Proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems  Digital forensics procedures and tools, malware analysis, and reverse engineering.  Implementing and working with industry standards and guidelines relevant to the role and our industry, such as ISO, ITIL, NIST, SANS, CIS, ACIPA SOC1/SOC2/SOC3, and PCI.  Possess and nurture a hacker mentality: Being able to visualize issues and possible solutions outside the box. 

 

BENEFITS/COMPENSATION 

DTO (discretionary time off).  Medical insurance with Blue Cross Blue Shield  Dental insurance (Cigna) and Vision insurance (United Healthcare)  Health Savings Account (HSA) with company contribution.  Paid holidays  401K match 6%/3%  College tuition reimbursement program (STEAM)