Staff DevSecOps Engineer

Ever since we started in 2007, Sunrun has been at the forefront of connecting people to the cleanest energy on Earth. It’s why we’ve become the #1 home solar and battery company in America. Today, we’re on a mission to change the way the world interacts with energy, and we’re building a company and brand that puts power at the center of life. And we’re doing it by designing a dynamic culture where employee development, well-being, and safety come first. We’re unlike any other solar company. Our vertically integrated model gives us total control over every part of the energy lifecycle – from sale through installation and beyond – so you can find endless opportunities for growth. Come join a career you can grow in and a culture you can run with.

This position is primarily remote, with occasional visits to a local office or our corporate headquarters for team-building, training, and collaborative project work. These on-site sessions are designed to strengthen connections, share insights, and ensure a seamless experience for our team and customers. Equipment pick-up from a local branch will be required. We will  provide advance notice whenever on-site attendance is required, making these times purposeful and rewarding.

Position Overview:

We are seeking a highly experienced and proactive Staff DevSecOps Engineer to lead the development and implementation of our DevSecOps program. In this critical role, you will be responsible for architecting and integrating security best practices into our software development lifecycle (SDLC) and CI/CD pipelines. Your deep expertise will be instrumental in establishing and maturing robust vulnerability management, static application security testing (SAST), software composition analysis (SCA), and secrets scanning processes to proactively identify, assess, and mitigate security risks. You will work closely with development, operations, and security teams, providing mentorship and fostering a security-first culture.

Key Responsibilities:

• Architect and Implement DevSecOps Program: Design, build, mature, and maintain a comprehensive DevSecOps program, including strategy, policies, standards, and procedures. Drive the adoption of DevSecOps practices across the organization.

• CI/CD Pipeline Security: Architect, implement, and optimize the integration of security tools and processes (SAST, DAST, SCA, secrets scanning) into CI/CD pipelines to ensure automated and effective security checks at every stage of development.

• Advanced Vulnerability Management: Lead and enhance the vulnerability management lifecycle, including advanced identification techniques, risk-based assessment, strategic prioritization, remediation tracking, and comprehensive reporting of vulnerabilities across applications and infrastructure.

• Static Application Security Testing (SAST): Implement, configure, manage, and scale SAST tools to identify security flaws in source code. Work with development teams to remediate findings and provide expert guidance on secure coding practices and architectural patterns.

• Software Composition Analysis (SCA): Deploy, manage, and optimize SCA tools to identify and mitigate risks associated with open-source components and third-party libraries, including known vulnerabilities and license compliance issues. Develop strategies for managing supply chain security.

• Secrets Scanning & Management: Implement and manage advanced tools and processes for detecting and preventing secrets (API keys, passwords, certificates) leakage in code repositories, configuration files, and CI/CD pipelines. Champion and enforce secure secrets management practices and solutions.

• Security Automation and Orchestration: Design and implement automation and orchestration for security testing, monitoring, and response processes to improve efficiency, effectiveness, and speed of remediation.

• Security Champion, Mentorship & Training: Act as a senior security champion, providing expert guidance, mentorship, training, and support to development, operations, and junior security team members on secure development practices and DevSecOps principles.

• Incident Response Leadership: Play a key role in security incident response activities, including investigation, containment, remediation, and post-mortem analysis.

• Stay Current & Innovate: Keep abreast of emerging security threats, vulnerabilities, advanced attack techniques, and industry best practices in DevSecOps. Drive innovation in security tooling and processes.

Required Qualifications:

• Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent practical experience.

• 8+ years of progressive experience in DevSecOps, Application Security, or Security Engineering roles, with a significant portion at a senior or lead level. 

• Proven track record of designing, implementing, and leading successful DevSecOps programs and integrating security deeply into CI/CD pipelines.

• Expert-level hands-on experience with SAST tools (e.g., GHAS, Checkmarx, Veracode, Semgrep).

• Expert-level hands-on experience with SCA tools (e.g., OWASP Dependency-Check, Snyk, Black Duck, Mend).

• Extensive experience with secrets scanning tools (e.g., GitLeaks, TruffleHog, HashiCorp Vault, CyberArk).

• Deep understanding and experience with advanced vulnerability management principles and tools (e.g., Wiz, Orca, Nessus, OpenVAS).

• Proficiency in multiple scripting languages (e.g., Python, Bash, PowerShell, Go).

• Strong experience with serverless/containerization technologies (e.g., Docker, Kubernetes) and their security hardening and monitoring.

• In-depth knowledge of cloud security principles, services, and best practices (AWS, Azure, GCP).

• Expert understanding of common web application vulnerabilities (OWASP Top 10, SANS Top 25) and advanced mitigation techniques.

• Strong analytical, strategic thinking, and problem-solving skills.

• Excellent communication, presentation, and interpersonal skills, with the ability to influence and collaborate effectively with technical and non-technical stakeholders at all levels, including leadership.

• Demonstrated experience mentoring and leading junior engineers.

Preferred Qualifications:

• Master's degree in Computer Science, Information Security, or a related field.

• Relevant advanced security certifications (e.g., CISSP-ISSAP/ISSEP, CSSLP, OSCP, OSCE, GIAC certifications like GCSA, GWEB, GCIH, GDSA).

• Extensive experience with Infrastructure as Code (IaC) security (e.g., Terraform, CloudFormation, Pulumi) and tools like Terrascan, Checkov.

• Experience with Dynamic Application Security Testing (DAST) tools and IAST.

• Experience in developing and presenting security dashboards and metrics to executive leadership.

• Published security research or contributions to open-source security projects.

Recruiter:

Please note that the compensation information that follows is a good faith estimate for this position only and is provided pursuant to acts, such as The Equal Pay Transparency Act. It assumes that the successful candidate will be located in markets within the United States that warrant the compensation listed. Candidates in locations outside this local area may have a different  starting salary range for this opportunity which may be higher or lower.  Please speak with your recruiter to learn more.

Starting salary/wage for this opportunity:

Sunrun provides a variety of benefits to employees, including health insurance coverage, a wellbeing program, life and disability insurance, a retirement savings plan, paid holidays, and paid time off (PTO). Other rewards may include annual bonus eligibility, based on both company and individual performance, as well as short- and long-term incentives and program-specific awards. Compensation decisions will not be based on a candidate's salary history. Please note: Employee benefits do not apply to our Fusion and Street Sales roles, which are 100% commission-based, (1099-NEC) positions.

This description sets forth the general nature and level of the qualifications and duties required of employees in this job classification, as well as some of the essential functions of this role.  It is not designed to be a comprehensive inventory of all essential duties and qualifications.  If you have a disability or special need that may require reasonable accommodation in order to participate in the hiring process or to perform this role if you are offered employment, please let us know by contacting us at candidateaccomodations@sunrun.com.

Sunrun is proud to be an equal opportunity employer that does not tolerate discrimination or harassment of any kind. Our commitment to Diversity, Inclusion & Belonging drives our ability to build diverse teams and develop inclusive work environments. At Sunrun, we believe that empowering people and valuing their differences are essential for our mission of connecting people to the cleanest energy on earth. We are committed to equal employment opportunities without consideration of race, color, religion, ethnicity, citizenship, political activity or affiliation, marital status, age, national origin, ancestry, disability, veteran status, sexual orientation, gender identity, gender expression, sex or gender, pregnancy or any other basis protected by law. We also consider qualified applicants with criminal convictions, consistent with applicable federal, state and local law.