DevSecOps Specialist at I&M Bank

Job Purpose

The DevSecOps specialist is responsible for embedding security into the software development lifecycle (SDLC) and CI/CD pipelines, ensuring applications and cloud-native workloads are secure by design. Reporting to the Head Application Security & Red Team Operations, this role acts as a technical enabler for development teams, integrating automated security controls, conducting secure code reviews, and supporting offensive/defensive testing practices.

The role requires solid technical skills and hands-on experience in security automation, developer enablement and collaborative support to enable rapid, secure delivery of Bank applications.

Key Responsibilities

• Integrate security controls into CI/CD pipelines (SAST, DAST, SCA, container scans, IaC security).
• Collaborate with developers to implement the Bank’s secure coding standards and security minimum baseline requirements.
• Apply security best practices to cloud-native applications and containerized environments.
• Conduct cloud security posture reviews and integrate automated compliance checks into build pipelines.
• Ensure secrets management, identity, and zero-trust principles are applied within DevOps pipelines.
• Support red team and penetration testing activities by fixing identified vulnerabilities and integrating findings into pipelines.
• Conduct targeted manual application security testing.
• Provide technical remediation guidance to developers and DevOps teams.
• Provide training and awareness to developers on secure coding, CI/CD security, and threat modeling.
• Contribute to cross-team incident response efforts for application-related vulnerabilities.
• Collaborate with the Group SOC team to translate intelligence into actionable detection and defence improvements.
• Partner with the SOC, Technology, Risk, and Compliance teams to ensure defensive measures align with regulatory requirements, internal policies, and industry best practices.
• Ensure pipelines meet compliance requirements i.e., NIST CSF & ISO 27001      

Job Specifications

Academic Qualifications

·        Bachelor’s Degree in IT, Technology, Cyber Security, or a related field – mandatory

Professional Qualifications / Membership to professional bodies/ Publication  

• Microsoft Certified: Azure Security Engineer Associate (AZ-500)
• Offensive Security Certifications
• AWS Certified Security – Specialty
• Certified Red Team Certifications
• Certified Secure Software Lifecycle Proffessional (CSSLP)
• Cloud Pentester Certifications
• Membership in recognised cyber security professional associations
• ISO/IEC 27001 Lead Implementer/Auditor  

Work Experience Required

• 5-7 years of progressive experience in cyber security.
• Proven track record in planning and executing complex red team and penetration testing engagements against advanced threat actors.
• Hands-on expertise in exploitation techniques, attack path development, and evasion tactics.
• Strong background in vulnerability assessment, adversarial emulation frameworks (e.g., MITRE ATT&CK, CALDERA, C2 frameworks), and purple teaming.
• Demonstrated experience in integrating threat intelligence into testing and defence strategies.

Competencies:

• Strong understanding of adversarial tactics, techniques, and procedures (TTPs) and their countermeasures
• Familiarity with threat modeling, OWASP Top 10, MITRE ATT&CK, and secure coding practices. ● Hands-on experience with CI/CD platforms (Jenkins, GitLab CI, GitHub Actions, Azure DevOps, CircleCI)
• Strong technical expertise in cloud security, CI/CD pipelines, secure SDLC, SAST/DAST, penetration testing, threat modeling, and container security.
• Scripting and automation skills (Python, Bash, PowerShell, or Go)
• Exceptional analytical and problem-solving skills, with the ability to design and execute creative attack simulations.
• Hands-on knowledge of offensive security tools, frameworks, and red team methodologies. ● Excellent leadership skills, with the ability to inspire and develop high-performing teams.
• High ethical standards, integrity, and commitment to responsible security testing practices.

Apply

If you believe you meet the above requirements log onto our www.imbankgroup.com/ke and click on careers and apply for the position. Your application should reach us as soon as possible but not later than 3rd September 2025.