Senior Specialist, Information Security DevSecOps

Planned Parenthood is the nation's leading provider and advocate of high-quality, affordable sexual and reproductive health care for all people, as well as the nation's largest provider of sex education. With more than 600 health centers across the country, Planned Parenthood organizations serve all patients with care and compassion, with respect, and without judgment, striving to create equitable access to health care. Through health centers, programs in schools and communities, and online resources, Planned Parenthood is a trusted source of reliable education and information that allows people to make informed health decisions. We do all this because we care passionately about helping people lead healthier lives.

Planned Parenthood Federation of America (PPFA) is a 501(c)(3) charitable organization that supports the independently incorporated Planned Parenthood affiliates operating health centers across the U.S. Planned Parenthood Action Fund is an independent, nonpartisan, not-for-profit membership organization formed as the advocacy and political arm of Planned Parenthood Federation of America. The Action Fund engages in educational, advocacy, and electoral activity, including grassroots organizing, legislative advocacy, and voter education.

Planned Parenthood Federation of America (PPFA) and Planned Parenthood Action Fund (PPAF) seeks a dynamic and effective Senior Specialist DevSecOps Architecture and Engineering. This job reports directly to the Director, DevSecOps Architecture & Engineering in the Information Security division of PPFA. The Office of Information Security provides the strategy and implementation of the information security program that safeguards the data entrusted to Planned Parenthood by its patients, supporters, donors and staff.

Purpose:

As a Senior Specialist DevSecOps Architecture and Engineering, you will work within a multi-disciplined team to provide expertise on complex systems. You'll stay up-to-date with the latest Continuous Integration/Continuous Deployment (CI/CD) security standards, systems, and authentication protocols, as well as best practice security products. You'll foster trusted partnerships and relationships with the Digital Products, DevOps, AppDev, and ITOps teams. This will require you to understand the business, its digital strategy, and have a comprehensive awareness of its technology and information needs. You'll ultimately use this knowledge to develop and test security controls, protecting the development pipeline and supporting systems.

Security Integration: Emphasize integrating security seamlessly throughout the software development lifecycle (SDLC). This includes tasks like threat modeling, vulnerability scanning, and secure coding practices.

Automation: Highlight the engineer's responsibility for automating security processes to improve efficiency and reduce manual errors.

Collaboration: Stress the importance of collaboration with developers, security professionals, and operations teams to foster a shared security culture.

Compliance: Mention ensuring adherence to security standards and regulations relevant to your industry and organization.

Delivery:

Design, build, and manage a scalable threat modeling framework, leveraging automation to integrate application security into the CI/CD pipeline, and act as the product owner of application security automation platform.

Work directly with project development teams and ITOps to enable successful project implementation applying the recommended security tools, technologies, and techniques. Provide expertise to project team engineers and architecture as needed.

Stay up to date on new tools & techniques in the information security space.

Support an information security solution that is scalable and easy to adapt with changing business requirements.

Support DevSecOps security solution integration with various security test tools.

Assets with programmatic code review and penetration test applications to decrease potential introduction of vulnerabilities within the code.

Contribute to vulnerability detection and remediation of technological offerings.

Educating other team members on application security standards and best practices.

Participating in enterprise technology and functional planning processes to develop standards and best practices.

Support engineering and development direction for application security designs that solve business problems.

Experience working with container security.

Support DevSecOps security integration with various security testing tools.

Working with application teams and ITOps on security solution design and implementation.

Participate in DevSecOps security solutions, and proof of concepts.

Support cross functional team members on DevSecOps standards and best practices.

Participating in enterprise technology and functional planning processes to develop standards and best practices.

Support building, deploying, and maintaining instrumentation and security controls in and around code.

Support programmatic code review and penetration test applications to decrease potential introduction of vulnerabilities within the code.

Engagement:

Engage with Digital Products, Applications Development, and senior-level staff within PPFA.

Provide technical thought leadership in overall security Solution development.

Works closely with other technical teams including the ITOps and DevSecOps Architecture and Engineering.

A solid understanding of industry-standard scanning tools including Venari, Fortify on Demand, and ZAProxy.

Work closely with the application development and infrastructure architectural teams to create secure code by design and default.

Work with DevSecOps to implement automated security testing tools (SAST, DAST) within the CI/CD pipeline, catching potential threats before deployment.

Work closely DevSecOps to establish prevention, detection, and mitigation techniques.

Collaborate with AI Community, InfoSec, and Office of General Counsel (OGC).

Knowledge, Skills, and Abilities (KSAs):

You will report to the Director of DevSecOps Architecture and Engineering and will work closely with Digital Products, Application Development, DevSecOps, and ITOps.

Technical bachelor's degree and 3 + years of industry experience or equivalent work experience.

2 + years of experience working with container security solutions.

At least 2 years of experience implementing DevOps tool-chain (Jenkins, SonarQube, GitHub, Nexus, Code quality tools) implementation and automation.

Minimum 3 years of experience with scripting and automation.

Minimum 3 years of experience with web application and web service implementation.

Hands-on experience with application development is required.

Hands-on experience with GenAI systems is preferred.

Expert knowledge of the OWASP framework and application security best practices.

Passion to work on newer technologies and explore the security domain.

Experience in compliance requirements and industry standards PCI-DSS, HIPAA, ISO 27001, NIST, CSF, ITIL, COBIT, Sarbanes Oxley, and SANS 20.

ML Sec Ops and Prompt Injection Testing.

TRAVEL: Up to 10% travel on occasion

Total offer package to include generous vacation + sick leave + paid holidays, individual/family provided medical, dental and vision benefits effective day 1, life insurance, short/long term disability, paid family leave and 401k. We also offer voluntary opt-in for Flexible Spending Account (FSA) and Transportation/Commuter accounts.

We value a truly diverse workforce and a culture of inclusivity and belonging. Our goal is to attract qualified candidates and encourage applications from all individuals without regard to race, color, religion, sex, national origin, age, disability, veteran status, marital status, sexual orientation, gender identity, or any other characteristic protected by applicable law. We're committed to creating a dynamic work environment that values diversity and inclusion, respect and integrity, customer focus, and innovation.

PPFA participates in the E-Verify program and is an Equal Opportunity Employer.

#LI-SY1

*PDN-HR

Roles that are denoted as NYC, DC, or both will work a hybrid schedule, requiring 2-3 days per week in the office unless the role is denoted as onsite, which requires working onsite full time or 5 days per week.