DevSecOps Engineer

About the Role

In this role, you will take technical responsibility for ensuring our pipelines, infrastructure, and software supply chain are not only stable but also secure. You are the person who implements 'Shift Left' operationally and ensures deployments run smoothly.

You will be the link between development, security, and the emerging AI team:

• DevSecOps as the core of your role: Systematically integrate SAST, DAST, Dependency Scanning, Container-Scanning, Secret Detection (e.g., TruffleHog, Gitleaks) and IaC-Security (e.g., Checkov, tfsec) into our CI/CD pipelines. Security checks are mandatory, not optional – and you ensure findings are prioritized and addressed, rather than getting lost in tickets.
• Secrets Management & Identity: Work with our Passbolt Enterprise setup, GCP Secret Manager, and Azure Key Vault, drive automated key rotation, and migrate remaining service account keys to Workload Identity Federation. Credential hygiene is an ongoing process.
• Vulnerability Management & Patching: Establish processes for CVE tracking, patch windows, and risk prioritization for both our container images and the underlying hosted infrastructure. You know which CVEs are truly critical and which are just CVSS inflation.
• Security in the Software Supply Chain: SBOMs, signed artifacts, image provenance, dependency pinning – you know what SLSA is and where we still need to improve. You will guide us there step by step.
• Incident Response & Forensics: When a secret is leaked, an account is compromised, or suspicious activity appears in the Azure DevOps Audit Log, you are the person who reacts systematically: limit blast radius, rotate credentials, analyze logs, write post-mortems.
• CI/CD Pipelines: Optimize and extend our existing Azure DevOps pipelines – faster, more stable, reproducible, more secure. Build, Test, Deploy should not rely on manual intervention.
• Hybrid Infrastructure (Hetzner/Anexia + GCP): Our production systems run on hosted infrastructure, while we selectively migrate workloads to GCP (including our LiteLLM-based AI gateway on Cloud Run). You will shape this hybrid reality, paying special attention to network segmentation, firewall rules, and IAM policies.
• Kubernetes – stable and hardened: You are responsible for our K8s environment: Network Policies, RBAC, Pod Security Standards, Admission Controllers. Resource management and stability are part of this, but cluster hardening is not an optional extra.
• Infrastructure as Code: What doesn't exist as code, doesn't exist – and what exists as code will be checked against security baselines. Reproducible, documented, versioned.
• Observability & Security Monitoring: Build logging, tracing, and alerting so that anomalies become visible before they escalate. This includes security-relevant signals: unusual API accesses, failed auth attempts, anomalies in audit logs.
• MLOps with a Security Focus: Create the infrastructure on which our ML models and LLM-powered services are securely deployed – including rate limiting at the gateway, cost control, and protection against prompt-injection-like exfiltration scenarios at the infrastructure level.

Your Skills

• Several years of experience as a DevOps Engineer with a clear security focus – you know the difference between theory and a 3 AM incident.
• In-depth knowledge of common attack vectors and mitigations – OWASP Top 10, Supply-Chain-Attacks, Container-Escape, Privilege Escalation, typical Cloud-Misconfigurations.
• Practical experience in building DevSecOps pipelines – not just "I once integrated a SAST tool," but you have successfully guided a team to take security findings seriously and address them systematically.
• Experience with Secrets Management (Passbolt, HashiCorp Vault, Azure Key Vault, GCP Secret Manager, or comparable).
• Solid experience with Azure DevOps – Pipelines, Service Connections, Environments, Audit Logs, Least-Privilege Configuration.
• Experience with at least one major Public Cloud (GCP preferred, Azure or AWS also relevant) – especially IAM, Networking, and Managed Security Services.
• Experience with On-Premise or Hosted Infrastructure (comparable to Anexia/Hetzner/Colocation) – you know life outside the Public Cloud and the security peculiarities that come with it.
• Production Kubernetes experience – including RBAC, Network Policies, Pod Security, and Cluster Hardening.
• Infrastructure as Code is not an optional extra for you, but standard – including security scanning of IaC templates.
• Proactiveness: You analyze the current state, identify risks, and make a concrete improvement proposal – without being asked.

Nice to have

• In-depth GCP experience (Cloud Run, Vertex AI, BigQuery, Secret Manager, Cloud Logging, Security Command Center).
• Experience with Threat Modeling or Security Architecture Reviews.
• Experience with SIEM / SOAR or structured Security Incident Handling.
• Knowledge of relevant frameworks: ISO 27001, NIST CSF, CIS Benchmarks, BSI-Grundschutz.
• Experience with Web Application Firewalls – especially Akamai (CDN Rules, WAF Policies, Offloading Strategies).
• Experience with LLM Infrastructure (LiteLLM, vLLM, Ollama, or similar) and LLM-specific security topics (Prompt Injection, Data Exfiltration, Rate Limiting).
• Experience with MLflow, Seldon, BentoML, or comparable MLOps platforms.
• Experience with Terraform for hybrid infrastructure (Hosted + Cloud).
• Experience with GitOps workflows (Flux, ArgoCD).
• Basic knowledge of Python or Go – helpful for security tooling, automation, and small custom checks.
• Certifications: AZ-500 (Security), Google Professional Cloud Security Engineer, AZ-400 (DevOps Expert), CKS (Certified Kubernetes Security Specialist), OSCP, or comparable.

Your Benefits

• 28 days of vacation: Enjoy ample time for rest and relaxation.
• Hybrid Work: Flexible working and remote options possible 🏡
• Inhouse care: A stylish new office building in the heart of Heilbronn – with our own barista machine, gaming corner, terrace for shared lunches or table tennis, free drinks, and much more.
• High-quality equipment: Work with first-class equipment in a modern environment.
• Flexibility: Digital time tracking and a flexitime account with the option for time off in lieu ⏰
• Attractive employee discounts on the entire parfumdreams online assortment.
• Beauty-Time: Discounted beauty treatments in our stores ✨
• Fit & happy: Wellhub for exercise, relaxation, and mental balance 🏋️‍♀️🧘‍♂️
• Exclusive offers via our corporate benefits platform 🎁
• Work-Life-Balance & Everyday Support: Free access to heycare with support in all life situations – from mental health to childcare and elder care to pet care – simply via app 🐶👶
• We celebrate your special moments: You receive extra vacation days for personal occasions like round birthdays, weddings, or important anniversaries 🎉🎂
• Secure Future: With our company pension plan, you can look forward to the future with peace of mind 💰
• Beauty with Purpose: Work where trends are not just followed but shaped – with a focus on innovation, quality, and sustainable brands 💄✨
• Inspiring work environment: Fast-growing company, short decision-making paths, and a place where your ideas count.🚀
• Team culture that supports you: Open, honest, supportive – we pull together, celebrate successes, and learn from mistakes together🤝🎉
• Unforgettable moments: Our company events provide experiences that remain in memory 🎈
• Four-legged colleagues welcome: Dogs are allowed in the office – because we know how much they sweeten the day. 🐶
• #comeasyouare: No dress code – just be yourself👕👠

DO YOU RECOGNIZE YOURSELF?

Then become part of our international company and apply!

As an international employer, we stand for equal opportunities and diversity. Therefore, we welcome applications from mothers, fathers, people with disabilities, and members of the LGBTQ+ community. Please let us know if we should use a gender-neutral pronoun, if you require accessible access, or if we should plan more time for the application process.

Unfortunately, we cannot cover travel or accommodation costs for the job interview.

Please also note that we do not return paper applications.

We look forward to your application!

Questions about the application?

I'm Bettina. Do you have questions about your application? I'm happy to help.