DevSecOps Engineer (Insurance)

Role Overview

The DevSecOps Engineer (Insurance) is responsible for embedding security across the software delivery lifecycle for core insurance systems.

The role ensures secure, compliant, resilient, and automated delivery across hybrid cloud environments while aligning with insurance regulations and enterprise architecture standards.

Key Responsibilities

1) Secure SDLC & Pipeline Automation

• 8-10 years in AppSec/Platform with 3+ years leading DevSec Ops initiatives at scale
• Build and maintain secure CI/CD pipelines for insurance applications.
• Drive Application Lifecycle, from Onboarding, Change and Deboarding/Decommission.
• Integrate security gates solutions like SonarQube (SAST, DAST, scanning, container scanning) into Azure DevOps/GitHub pipelines.
• Automate vulnerability detection and remediation workflows, aligned with risk severity and SLAs.
• Promote shift-left security across development and product teams.

2. Cloud & Infrastructure Security

• Enforce identity and access controls across workloads, including Zero Trust and principle of least privilege.

3. Application & API Security

• Conduct secure code reviews for services.
• Implement API security standards (OAuth2, JWT, mTLS) across partner ecosystems.
• Work with developers to fix vulnerabilities in timebound compliance windows.
• Participate in architecture reviews for new product launches, wellness apps etc.

4. Security Monitoring, Threat Detection & Incident Response

• Drive integration of applications and infra logs into SIEM.
• Assist in tabletop exercises for cyber readiness (esp. ransomware scenarios affecting policy/claims data).

5. Governance, Risk, Compliance & Audit (Insurancespecific)

• Ensure compliance with IRDAI Cybersecurity Guidelines, PCI-DSS, ISO 27001, GDPR (for global reinsurers/partners).
• Automate evidence generation for audits (access reviews, pipeline logs, IaC manifests, deployment artifacts).
• Ensure implementation of DLP, encryption, and data lifecycle controls for PII, KYC documents, health records, and claims scanned documents.
• Support third-party security assessments for vendors, TPAs, digital partners, and insurtech integrations.

6. Collaboration & Culture

• Work closely with development, product, data engineering, App support and IT security teams.
• Train engineers on secure coding, threat modeling, API security, cloud hardening, and secure deployments.
• Promote DevSecOps culture through champions inside delivery teams.

Required Skills & Experience

Technical Skills

• Strong experience with Azure DevOps, GitHub Actions, or similar tools.
• Understanding of Azure/AWS security services (Key Vault/KMS, IAM/Entra ID, VNet security, WAF, Defender for Cloud).
• Knowledge of AppSec tools:
• SAST: SonarQube/Fortify/Checkmarx
• DAST: Burp Suite/OWASP ZAP
• Experience with SIEM/SOAR, threat detection, log analytics.
• Strong scripting skills (Python/PowerShell/Bash).

Soft Skills

• Strong analytical and problemsolving mindset.
• Clear communication with senior stakeholders and auditors.

Preferred Qualifications

• Certifications: AZ500, SC100, AZ400, CKS, CKA, CCSP, Security+.
• Prior experience in insurance, BFSI, InsurTech environments.

KPIs for Success

• Reduction in critical vulnerabilities across pipelines and workloads.
• % of automated security controls implemented across CI/CD.
• Mean Time to Remediate (MTTR) vulnerabilities.
• Compliance score (IRDAI, ISO) and reduction in audit findings.
• Production incident reduction tied to security or misconfigurations.
• Adoption of DevSecOps patterns across delivery squads.