DevSecOps Specialist

At Newforma, you’ll help shape the future of project information management for architects, engineers, and contractors worldwide. Join a team that’s trusted by over 1,500 firms to simplify how they work. Together, we’re creating tools that connect people to the information they need, faster and smarter. Let’s build something great.

We're seeking a DevSecOps Specialist to join our Platform Engineering team and play a pivotal role in establishing and evolving our security-first culture. As Newforma undergoes a strategic migration from Azure to AWS, you'll be instrumental in building secure, automated infrastructure and embedding security practices throughout our software development lifecycle. This is an opportunity to shape the DevSecOps foundation for a platform trusted by hundreds of thousands of users managing sensitive project data across the construction industry.

In this role, your responsibilities will include:

Security Leadership & Culture

• Champion DevSecOps principles across engineering teams, fostering a culture where security is everyone's responsibility.
• Establish and evangelize security best practices, secure coding standards, and threat modeling approaches.
• Mentor and guide development teams on security automation, vulnerability management, and secure architecture patterns.
• Lead by example, demonstrating how to balance security requirements with development velocity and business needs.
• Conduct security training sessions and create documentation to elevate the organization's security awareness.
• Partner with engineering leadership to define and track security metrics and KPIs.

AWS Security & Infrastructure

• Support team to design and implement secure cloud infrastructure on AWS, following the AWS Well-Architected Framework security pillar.
• Architect and maintain Identity and Access Management (IAM) policies, roles, and service control policies across AWS accounts.
• Support team to implement security controls using AWS services including GuardDuty, Security Hub, Config, CloudTrail, and WAF.
• Design and enforce network security using VPCs, security groups, NACLs, and AWS PrivateLink.
• Establish secrets management strategies using AWS Secrets Manager and Parameter Store.
• Lead the security aspects of the Azure-to-AWS migration, ensuring secure architecture patterns and data protection.
• Implement infrastructure-as-code security scanning and policy enforcement using tools like Checkov, tfsec, or AWS CDK.

CI/CD Security & Automation

• Build and maintain secure CI/CD pipelines integrating security scanning at every stage of the development lifecycle.
• Implement automated security testing including SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis).
• Integrate container security scanning and image vulnerability assessment into build pipelines.
• Automate compliance checks and security policy enforcement in deployment workflows.
• Design and implement automated remediation workflows for common security findings.
• Establish secure artifact management and software supply chain security practices.

Vulnerability & Compliance Management

• Implement and maintain vulnerability scanning and management programs for applications, containers, and infrastructure.
• Establish processes for triaging, tracking, and remediating security vulnerabilities.
• Ensure compliance with industry standards and regulations relevant to the AECO industry.
• Conduct regular security assessments, penetration testing coordination, and security audits.
• Develop and maintain incident response playbooks and participate in security incident response.
• Create and maintain security baselines and hardening standards for systems and applications.

Monitoring & Incident Response

• Design and implement security monitoring, logging, and alerting solutions using CloudWatch, CloudTrail, and SIEM tools.
• Establish threat detection and response capabilities for cloud infrastructure and applications.
• Build automated alerting and response mechanisms for security events.
• Conduct security investigations and root cause analysis for security incidents.
• Implement and maintain disaster recovery and business continuity plans from a security perspective.

Collaboration & Integration

• Work on security initiatives in collaboration with other members of the platform engineering team.
• Work closely with development teams to integrate security into all aspects of the SDLC.
• Collaborate with the Lead Software Architect to ensure security considerations in architectural decisions.
• Partner with compliance and legal teams on security requirements and audit preparation.
• Engage with third-party security vendors and manage security tooling evaluation and implementation.
• Participate in agile ceremonies including daily stand-ups, sprint planning, and retrospectives.

Requirements for the position include:

• 7+ years of experience in DevOps, Security Engineering, or related roles with at least 3 years focused on DevSecOps practices.
• Strong hands-on experience with AWS security services and best practices, including IAM, Security Hub, GuardDuty, Config, KMS, and CloudTrail.
• Proven track record of implementing security automation and integrating security into CI/CD pipelines.
• Deep understanding of infrastructure-as-code security (Pulumi, Terraform, AWS CDK, CloudFormation).
• Experience with container security, including Docker, Kubernetes/EKS security, and container image scanning.
• Proficiency with security scanning tools such as SonarQube, Snyk, Aqua Security, Prisma Cloud, or similar.
• Strong knowledge of application security principles, OWASP Top 10, and secure coding practices.
• Experience with scripting and automation using Python, Bash, or PowerShell.
• Understanding of network security, encryption, certificate management, and secrets management.
• Familiarity with compliance frameworks (SOC 2, ISO 27001, GDPR) and security audit processes.
• Excellent communication skills with ability to explain complex security concepts to diverse audiences.
• Experience mentoring and influencing engineering teams on security best practices.
• Bachelor's degree in Computer Science, Information Security, or related field.

Nice to have qualifications for this position include:

• AWS Security certifications (AWS Certified Security - Specialty, AWS Solutions Architect, or similar).
• Additional security certifications such as CISSP, CEH, GIAC, or OSCP.
• Experience migrating security controls and practices from Azure to AWS.
• Hands-on experience with Azure security services (Azure Security Center, Defender, Sentinel).
• Knowledge of .NET/C# application security and secure development practices.
• Experience with React or frontend security considerations.
• Familiarity with Kubernetes security tools and practices (admission controllers, policy engines, runtime security).
• Experience with DevSecOps in SaaS/multi-tenant environments.
• Knowledge of security considerations for document management and file storage systems.
• Experience with API security, OAuth 2.0, SAML, and identity federation.
• Familiarity with supply chain security and SBOM (Software Bill of Materials) practices.
• Experience with security aspects of AI/ML systems and data protection
• Bilingual in French and English.

Why Work at Newforma?

• Purpose-driven work: Help professionals in the AECO industry solve real-world challenges.
• Global impact: Our tools are used on over 16 million projects worldwide.
• Collaborative culture: Work alongside talented teammates who value your input.
• Room to grow: We support your career development through learning opportunities and mentorship.
• Innovation at its core: Be part of a company that’s always evolving to meet industry needs.