




Job Summary: We are seeking a Senior Information Security Analyst to develop and implement robust security solutions, ensuring application integrity. Key Highlights: 1. Expertise in DevSecOps, AppSec, and Cloud Security. 2. Implementation of security-by-design across the SSDLC. 3. Vulnerability lifecycle management and automation. We are looking for a Senior Information Security Analyst with expertise in DevSecOps / AppSec / Cloud Security, focused on cloud security and code review, to join our team. The ideal candidate will be responsible for developing, validating, and implementing robust security solutions, ensuring applications and platforms are developed, maintained, and operated securely—reducing vulnerabilities, protecting sensitive data and user privacy, and ensuring application integrity. Close collaboration with Cyber Security, Architecture, Engineering, and Development teams to embed security-by-design across the entire SSDLC. **Responsibilities and Duties** Define and implement application and platform security strategies aligned with architectural standards in coordination with S.I. Architecture. Integrate security into CI/CD pipelines (Azure DevOps and GitHub Actions): SAST, DAST, SCA, Secret Scanning, container analysis (OCR Scanning/IAST), and risk-based build-blocking policies. Manage the vulnerability lifecycle (SAST/DAST/SCA/Container): triage, prioritization (CVSS/CWE), guidance to squads, and tracking through remediation. Conduct Secure SDLC: Threat Modeling (STRIDE/DREAD/MITRE ATT\&CK), security architecture reviews, security-focused code reviews, guidelines (OWASP Top 10 / API Top 10 / ASVS), and hardening from design through production. Cloud Security (MultiCloud): Azure: Operate native controls (Entra ID/Azure AD, Enterprise Application, App Registration, RBAC, PIM, Conditional Access, Azure Policy, Defender for Cloud), VM/AKS/App Services/Storage hardening, secret and key management (Key Vault). AWS/GCP: Implement identity standards, network segmentation, posture (CSPM), secrets/vaults, observability, and policies. Kubernetes \& Containers: hardening (CIS), admission controls, signed images, scanning, runtime security, namespace segregation, and policies (e.g., NetworkPolicy, PodSecurity). CSPM \& Posture: operate/adjust policies, coordinate remediations, and automate compliance across Azure/AWS/GCP. Automation \& IaC: embed security controls in Terraform (policy-as-code, IaC scanning), create automations and integrations (PowerShell, Python, Go). Incident Response and Hunting: support analysis, feed back into processes, and strengthen defensive controls. Enablement \& Culture: train, raise awareness, and influence engineering teams, positioning security as an enabling partner. Compliance \& Auditing (primarily financial): support evidence collection and adherence to NIST, ISO 27001, OWASP, LGPD, and Bacen regulations where applicable. **Requirements and Qualifications** Proven experience in Application Security / DevSecOps, including technical initiatives and security integration into the SSDLC. Multicloud experience with focus on Azure and AWS (hands-on) and strong familiarity with GCP (strong in AWS/Azure with willingness to expand GCP expertise). Practical experience with CI/CD (Azure DevOps and/or GitHub), SAST, SCA, DAST, Secret Scanning, container analysis, and control automation. IAM/RBAC/PIM, segmentation and networking (VNet/VPC, NSG/SG, Firewall/WAF), cloud policies and posture (Defender for Cloud/CSPM). Kubernetes (AKS/EKS/GKE) and containers: image security, supply chain, policies, and hardening. Secret/vault management (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault). Solid knowledge of OWASP Top 10, API Security Top 10, ASVS, MITRE ATT\&CK, Zero Trust, and threat modeling. Scripting (PowerShell, Python, or Go, AZ CLI and AWSCLI) and Terraform (IaC) with security best practices (policy/scan). Clear communication, influence, and autonomy to drive remediations and architectural decisions. Bachelor’s degree in IT, Engineering, or related field. **Additional Information** Proven experience with corporate SDL/SSDLC and security-by-design in DevOps/DevSecOps environments. IAST, IaC scanning (e.g., Checkov/tfsec), SAST, image signing, SBOM, and supply chain security (Sigstore/COSIGN). Exposure to large-scale multicloud environments and enterprise tools (CSPM, CIEM, CNAPP). Experience with Threat Emulation/internal pentests and cultural change initiatives within engineering. Experience with financial sector requirements (Bacen Resolutions, NIST, ISO 27001, OWASP, LGPD). Certifications CompTIA Security\+ EC\-Council Certified DevSecOps Engineer (ECDE) CompTIA DevSecOps Engineer AZ\-500 SC\-100 AWS Security Specialty GCP Professional Cloud Security Engineer Stack and Tools (examples) Repos \& Pipelines: Azure DevOps, GitHub/GitHub Actions. AppSec: SAST/DAST/SCA, Secret Scanning, Container/IaC scanning, IAST (where applicable). Cloud \& Posture: Azure Policy, Defender for Cloud (CSPM/CNAPP), AWS/GCP equivalents. K8s/Containers: AKS/EKS/GKE, registries, admission controllers, policies, and runtime security. Secrets/Vaults: Key Vault, Secrets Manager, Secret Manager, HashiCorp Vault. IaC \& Automation: Terraform, Policy as Code, PowerShell, Python, Go. Frameworks: OWASP (Top 10, API Top 10, ASVS), NIST, ISO 27001, MITRE ATT\&CK, Zero Trust. We are ABC Brasil. A multi-service bank with over 35 years of history, specializing in financial solutions and driving major national businesses—combining international stability with the agility of local, responsive, and autonomous management. With a comprehensive portfolio of products and services, our focus is on delivering real impact to our customers—evolving with the market and adapting to each customer’s unique needs, always with responsibility, integrity, and mutual trust. This approach makes us unique. We believe authentic connections—built on respect for differences—create a collaborative, human, and inspiring environment. Here, every person can be themselves—and grow with autonomy and leadership. **ABC Brasil. The bank for those who are singular.** \#EuSouSingular \#SouABCBrasil \#ABCBrasil


