DevSecOps Engineer

At Towne Park, it’s more than a job, you can make an impact. A career with us is rewarding in more ways than one. As a hospitality services company, our commitment is to create smiles by delivering exceptional experiences. When you work with us, you have an opportunity to impact the millions of patients, visitors and guests we proudly serve. Whether providing compassionate service that eases the anxiety of a patient and their family, creating a memorable experience for a guest in a new city, or helping a colleague, every day is a new opportunity to brighten someone else’s day and make an impact. When we see a customer, a client or one of our own team members smile, we know we made an impact. It’s why we do what we do. Towne Park is a place where you can make a difference and create smiles every day. Click here for important notices that may be applicable to you. For more information about our privacy policy, please click here . DevSecOps Engineer will own how software ships and how our cloud infrastructure stays secure — from pipeline to production. This is a hands-on, end-to-end ownership role. Will design and operate our Azure CI/CD pipelines, codify our infrastructure and security policies, and drive remediation of security findings across the environment. Will work directly with application engineers and leadership. ESSENTIAL FUNCTIONS Reasonable accommodations may be made to enable individuals with disabilities to perform all functions. CI/CD & Release Engineering (Azure DevOps) 20% Design, build, and maintain CI/CD pipelines in Azure DevOps (YAML pipelines) for application and infrastructure deployments Implement multi-stage release workflows with environment promotion (dev → staging → production), approval gates, and automated rollback Establish branch policies, PR validation builds, and quality gates (test coverage, build health) Own deployment reliability: zero-downtime deployment patterns (blue/green, canary), release cadence, and deployment metrics (lead time, change failure rate, MTTR) Manage build agents, artifact feeds, and container registries (ACR) 2. Infrastructure as Code (20%) Partner closely with engineering teams to integrate security into development workflows without reducing delivery velocity. Develop secure coding guidance, reusable security patterns, and self-service security capabilities. Support security champion programs and security awareness initiatives for technical teams. Author and maintain all cloud infrastructure as code using Terraform and/or Bicep — no click-ops in production Build reusable IaC modules for common patterns (networking, app services, databases, key vaults) Implement state management, drift detection, and plan/apply review workflows integrated into pipelines Manage environment parity and configuration across dev, staging, and production Drive cost visibility and right-sizing through tagging standards and IaC-enforced resource policies 3. Policy as Code & Governance 3 (25%) Define and enforce guardrails using Azure Policy (built-in and custom definitions) across subscriptions and management groups Implement policy-as-code workflows so governance changes go through version control and CI, not the portal Enforce standards automatically: allowed regions and SKUs, mandatory encryption, network restrictions, required tags, diagnostic settings Integrate compliance scanning into pipelines (e.g., Checkov, tfsec, PSRule) so non-compliant infrastructure fails before deployment Automate collection and reporting of security control evidence to support compliance and audit requirements. Maintain audit-ready documentation and technical control mappings across applicable regulatory frameworks. Maintain audit-ready evidence of control enforcement to support SOC 2 / PCI DSS compliance efforts 4. Security Operations & Remediation (25%) Facilitate threat modeling exercises for applications, cloud services, APIs, and infrastructure platforms. Identify security design risks early in the software development lifecycle and recommend mitigation strategies. Design and implement secure network architectures including segmentation, private networking, web application firewalls (WAF), and cloud-native security controls. Monitor and remediate network exposure risks and cloud security misconfigurations. Support secure connectivity models including VPN, private endpoints, service meshes, and zero-trust networking architectures. Own vulnerability management end to end: scanning (SAST, dependency/SCA, container image, DAST), triage, severity-based remediation SLAs, and tracking to closure Remediate infrastructure-level findings directly (misconfigurations, patching, network exposure, identity over-permissioning); route application-code findings to engineering teams with clear severity, context, and deadlines Administer secrets management (Azure Key Vault) — no secrets in code, pipelines, or configuration files Implement and tune Microsoft Defender for Cloud and security monitoring/alerting; lead initial response and containment for security incidents Manage identity and access: Entra ID, RBAC least-privilege reviews, service principals/managed identities, PIM for elevated access Harden the network layer: NSGs, private endpoints, WAF, segmentation between environments 5. Feature Delivery Enablement (10%) Implement feature flag infrastructure (e.g., Azure App Configuration / LaunchDarkly) to decouple deployment from release Support progressive rollouts, A/B exposure controls, and kill switches for safe feature launches Partner with application engineers to make shipping fast and safe — your job is to remove friction, not add gates Support feature flag platforms and progressive delivery capabilities to enable secure, controlled feature releases. Implement kill-switch and rollback mechanisms to reduce deployment risk. QUALIFICATIONS Education: B.S. or Major in Computer Science Required Licensure, Certificati