Senior Information Security Analyst - DevSecOps / Cloud Security

Description

Job Summary: Senior Information Security Analyst specializing in cloud security and code review, responsible for implementing robust security solutions to protect data and ensure application integrity. Key Highlights: 1. Collaborative work with Cyber Security, Architecture, Engineering, and Development 2. Integrate security into CI/CD pipelines (Azure DevOps and GitHub Actions) 3. Lead Secure SDLC: Threat Modeling and security-focused code reviews We are seeking a Senior Information Security Analyst with expertise in DevSecOps / AppSec / Cloud Security, focused on cloud security and code review, to join our team. The ideal candidate will be responsible for developing, validating, and implementing robust security solutions, ensuring applications and platforms are developed, maintained, and operated securely—reducing vulnerabilities, protecting sensitive data and user privacy, and ensuring application integrity. Collaborate closely with Cyber Security, Architecture, Engineering, and Development to embed security-by-design across the entire SSDLC. **Responsibilities and Duties** * Define and implement application and platform security strategies aligned with architectural standards in collaboration with SI Architecture. * Integrate security into CI/CD pipelines (Azure DevOps and GitHub Actions): SAST, DAST, SCA, Secret Scanning, container analysis (OCR Scanning/IAST), and risk-based build-blocking policies. * Manage the vulnerability lifecycle (SAST/DAST/SCA/Container): triage, prioritization (CVSS/CWE), guidance to squads, and tracking to remediation. * Lead Secure SDLC: Threat Modeling (STRIDE/DREAD/MITRE ATT\&CK), security architecture reviews, security-focused code reviews, guidelines (OWASP Top 10 / API Top 10 / ASVS), and hardening from design through production. **Cloud Security (MultiCloud):** * Azure: Operate native controls (Entra ID/Azure AD, Enterprise Application, App Registration, RBAC, PIM, Conditional Access, Azure Policy, Defender for Cloud), harden VMs, AKS, App Services, and Storage, manage secrets and keys (Key Vault). * AWS/GCP: Implement identity standards, network segmentation, posture (CSPM), secrets/vaults, observability, and policies. * Kubernetes \& Containers: hardening (CIS), admission controls, signed images, scanning, runtime security, namespace segregation, and policies (e.g., NetworkPolicy, PodSecurity). * CSPM \& Posture: operate/adjust policies, coordinate remediations, and automate compliance across Azure/AWS/GCP. * Automation \& IaC: embed security controls in Terraform (policy-as-code, IaC scanning), create automations and integrations (PowerShell, Python, Go). * Incident Response and Hunting: support investigations, feed back into processes, and strengthen defensive controls. * Enablement \& Culture: train, raise awareness, and influence engineering teams, positioning security as an enabling partner. * Compliance \& Auditing (primarily financial): support evidence collection and adherence to NIST, ISO 27001, OWASP, LGPD, and Bacen regulations where applicable. **Requirements and Qualifications** * Proven experience in Application Security / DevSecOps, including technical initiatives and security integration into the SSDLC. * Multicloud experience with focus on Azure and AWS (hands-on) and strong familiarity with GCP (strong in AWS/Azure with willingness to expand GCP expertise). * Practical experience with CI/CD (Azure DevOps and/or GitHub), SAST, SCA, DAST, Secret Scanning, container analysis, and control automation. * IAM/RBAC/PIM, segmentation and networking (VNet/VPC, NSG/SG, Firewall/WAF), cloud policies and posture (Defender for Cloud/CSPM). * Kubernetes (AKS/EKS/GKE) and containers: image security, supply chain, policies, and hardening. * Secrets/vault management (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault). * Solid knowledge of OWASP Top 10, API Security Top 10, ASVS, MITRE ATT\&CK, Zero Trust, and threat modeling. * Scripting (PowerShell, Python or Go, AZ CLI and AWSCLI) and Terraform (IaC) with security practices (policy/scan). * Clear communication, influence, and autonomy to drive remediations and architectural decisions. * Bachelor’s degree in IT, Engineering, or related field. **Certifications (Preferred)** * CompTIA Security\+ * EC\-Council Certified DevSecOps Engineer (ECDE) * CompTIA DevSecOps Engineer * AZ\-500 * SC\-100 * AWS Security Specialty * GCP Professional Cloud Security Engineer **Additional Information** * Health Insurance; * Omint Dental Insurance; * Life Insurance; * Profit Sharing (PLR); * Performance Bonus (PPR); * ABC com Você: a program supporting employees and their families with legal, social, psychological, and financial assistance; * Meal Voucher; * Food Allowance; * Extended Paternity and Maternity Leave: 20 days paternity leave and 6 months maternity leave; * Daycare/Babysitter Assistance; * Annual Day Off; * Remote Work Allowance; * Home Office Infrastructure Allowance; * TotalPass We are ABC Brasil. A multi-service bank with over 35 years of history, specializing in financial solutions and driving major businesses across Brazil — combining international solidity with the agility of local, close, and autonomous management. With a comprehensive portfolio of products and services, our focus is on generating real impact for our customers, evolving with the market and adapting to each customer’s needs — always with responsibility, integrity, and mutual trust. This way of engaging makes us unique. We believe authentic connections built on respect for differences foster a collaborative, human, and inspiring environment. Here, every person can be themselves — and grow with autonomy and leadership. **ABC Brasil. The bank for those who are singular.** \#EuSouSingular \#SouABCBrasil \#ABCBrasil