DevSecOps Engineer

Job Summary

We are seeking a skilled DevSecOps Engineer to join our dynamic team. In this role, you will be responsible for integrating security practices into our DevOps processes, ensuring that our software is both secure and delivered efficiently. As a DevSecOps Engineer, you will work closely with development, operations, and security teams to automate security measures, conduct vulnerability assessments, and respond to security incidents in real-time. This role offers the opportunity to make a significant impact on our company's security posture and contribute to the development of innovative solutions.

About the Company:

We're a team of passionate primary care specialists, medics, data informatics and industry experts who have come together to create simple, intuitive technologies which revolutionise how medical data is digitally reported and transacted.

The role is full-time with a market-competitive package. The role will be heavily involved in Medi2data's in-house development team and be responsible for maintaining best practices and standards in software engineering whilst working with the HOD, Product team, internal engineers, and development partners in driving and ensuring high-quality programming and technical solutions.

We have several in-house platforms that we develop and maintain. Our current main product is a Django web app, managed with Terraform in GCP. We also have an internal and external REST API that we use to support internal static portals (using Cloudfront and lambdas) and external partners.

Now that we have proved our product to the market, we are looking for our next step. We are at an exciting crossroads where we are about to start on the next iteration of automating and using AI for the classification of medical data and medical evidence gathering.

Why this role is available

We're scaling our health-tech platforms and moving deeper into GCP and GKE. We need a senior engineer who will own platform security end-to-end: from guardrails in Terraform and CI/CD to runtime controls in Kubernetes, WAF at the edge and audit-ready evidence for ISO 27001 / NHS DSPT / UK-GDPR.

Requirements

• Bachelor's degree in Computer Science, Information Security, or a related field or equivalent experience/qualifications.
• Proven experience in a DevSecOps or related role.
• Proficiency in security and DevOps tools such as GitHub Actions, Docker, Kubernetes, and security scanning tools.
• Strong understanding of cloud platforms and platform engineering in general (preferably GCP as this is our main provider) and their security features.
• Experience with automation and scripting languages (e.g., Python, Zsh, Bash).
• Familiarity with continuous integration and continuous delivery (CI/CD) pipelines, particularly ArgoCD.
• Excellent problem-solving and analytical skills.
• Strong communication and leadership abilities.

Responsibilities

• Integrate security best practices into the DevOps pipeline, ensuring secure software delivery particularly related to the OWASP top 10.
• Conduct regular vulnerability assessments and provide recommendations for remediation.
• Collaborate with external security audit teams and coordinate the fixes of findings
• Collaborate with development, operations, and security teams to design and implement security solutions.
• Automate security processes, including vulnerability scanning, disaster recovery and incident response.
• Strong understanding of attack vectors, threat modelling and security design reviews.
• Monitor security metrics and prepare reports for stakeholders.
• Stay up-to-date with the latest security trends, threats, and technologies.
• Respond to security incidents and lead post-incident investigations.
• Provide training and guidance to team members on security best practices.

Must-Have Skills

Soft Skills

• Leadership:
  Ability to guide and mentor cross-functional teams in security practices.
• Problem-Solving:
  Strong analytical skills to identify and resolve complex security issues.
• Communication:
  Clear and effective communication with technical and non-technical stakeholders.
• Attention to Detail:
  Meticulous approach to identifying and addressing security vulnerabilities.
• Collaboration:
  Ability to work effectively in a team environment and foster a culture of shared responsibility for security.

Hard Skills

• 5+ years in cloud/K8s platform roles with 2+ years focused on security.
• Terraform at scale (modules, workspaces), plus policy-as-code.
• CI/CD experience (GitHub Actions/GitLab CI/Bitbucket Pipelines)
• Kubernetes runtime security (admission controllers, network policies, pod security, image provenance, secrets, PSP/PSS equivalents).
• WAF ownership and HTTP security hardening experience.
• Practical IR: detection engineering, post-mortems, containment/eradication steps.
• Evidence-oriented workstyle for ISO 27001 / NHS DSPT / UK-GDPR. (You don't need to be a compliance officer, but you know how to turn controls into audit artefacts.)
• Strong written communication; ability to influence and set guardrails without blocking delivery.

Nice-To-Have Skills

• Understanding of AI security attack vectors
• Experience with NHS ecosystems (IM1 Pairing, UK-Core FHIR)
• Datadog Logging/metrics, custom detectors, and cost-aware log pipelines.