Staff DevSecOps Engineer (Cryptography)

We’re seeking an experienced Staff DevSecOps Engineer with a passion for securing cloud-native applications and a strong background in AWS cloud security. In this role, you’ll drive the integration of security into our development pipelines, leveraging automation and coding expertise in Python, Go, and Java to protect our platforms.

Join us in building secure, scalable cloud environments where you’ll play a key role in:

• Cloud Security – Implementing robust security controls across AWS environments.
• DevSecOps Practices – Embedding security into CI/CD pipelines and infrastructure as code.
• Automation – Developing tools and scripts to enhance security monitoring, response, and cryptography operations.

This is a remote-first role, with the option to work from anywhere within the U.S. or from our Oakland office. If you’re excited about securing the future of cloud-native applications, we’d love to have you on our team!

• Design and implement security architectures for AWS-based applications, leveraging services like IAM, GuardDuty, and Security Hub.
• Secure AWS generative AI workloads, ensuring proper access controls, data encryption, and model security for services like Amazon Bedrock and SageMaker.
• Integrate security into CI/CD pipelines, ensuring secure code deployment using tools like AWS CodePipeline and CodeBuild.
• Develop and maintain automation scripts and tools in Python, Go, or Java to enhance security monitoring, incident response, and compliance.
• Automate cryptography-related tasks and operations using AWS Lambda functions for AWS KMS and Secrets Manager.
• Automate on-prem and off-prem HSM tasks using Java, Python, or Go to streamline key management processes.
• Collaborate with development, operations, and security teams to implement data protection, access control, and vulnerability management strategies.
• Manage and secure infrastructure as code (IaC) using Terraform or AWS CloudFormation, ensuring secure configurations.
• Monitor and respond to security incidents, utilizing AWS CloudTrail, CloudWatch, and other logging tools.
• Ensure compliance with security standards such as PCI DSS through automated controls and audits.
• Research emerging cloud security and cryptography trends and integrate best practices into our strategies.

• A minimum of 8 years of related experience with a Bachelor’s degree; or 5 years and a Master’s degree; or a PhD with 3 years’ experience; or equivalent combination of related education and work experience.
• 5+ years of professional experience in DevSecOps, cloud security, or application security.
• 4+ years of hands-on experience with AWS security services (e.g., IAM, KMS, Secrets Manager, GuardDuty, Security Hub).
• 4+ years of coding experience in Python, Go, and/or Java, with a focus on security automation or tool development.
• 3+ years of experience with infrastructure as code (e.g., Terraform, CloudFormation) and CI/CD tools (e.g., Jenkins, GitHub Actions).
• 2+ years of experience with container security (e.g., Docker, Kubernetes) and securing microservices architectures.
• 2+ years of experience with security compliance frameworks (e.g., PCI DSS).
• Strong collaboration and communication skills, with the ability to influence cross-functional teams.
• Problem-solving skills to navigate complex security challenges with confidence and flexibility.

• Experience with AWS KMS, AWS Secrets Manager, or Google Tink.
• Working knowledge of Amazon Bedrock/SageMaker security features.
• Familiarity with HSM automation for on-prem and off-prem environments.
• Experience with Kubernetes security tools (e.g., Falco, Trivy).
• Proficiency in additional scripting languages or frameworks (e.g., Bash, Node.js).
• CISSP, CCSP, AWS Certified Security – Specialty, or other relevant certifications.
  Job Expectations:

• Occasional travel (up to 10%).
• A hiring process that includes an application, recruiter call, hiring manager video call, and a virtual “onsite” interview.

Compensation and Benefits

Marqeta is a Flex First company which allows you to choose your best working environment, whether that be from home or at a company office. To support Flex First, we calibrate pay to a competitive value according to working location. Compensation is aligned according to three tiers within the United States:

• National: A baseline tier that applies to most of the geographic territory of the United States.
• Premium: Slightly elevated from the National tier, and oriented toward a narrower set of higher cost-of-living areas, such as Los Angeles CA and Seattle WA
• Premium Plus: A tier for the most expensive working areas, like the San Francisco Bay area and New York City.

Visit this page or consult with a Recruiter to determine which tier would be applicable to you.

When determining salaries, we consider several factors including, but not limited to, skills, prior experience, and work location. The new-hire base salary range for this position is:

• National: $167,100 - $208,900
• Premium: $179,800 - $224,700
• Premium Plus: $195,400 - 244,200

We also believe in recognizing the contributions of our people. That's why we award annual bonuses to eligible employees, rewarding both individual performance and the success of the entire company.

Along with monetary compensation, Marqeta offers

• Multiple health insurance options
• Flexible time off – take what you need
• Retirement savings program with company contribution and after tax contributions
• Equity in a publicly-traded company and an Employee Stock Purchase Program
• Family-forming benefits, fertility support, and up to 20 weeks of Parental Leave
• Free therapy sessions, financial and professional coaching, and legal advice
• Monthly stipend to support our remote work model
• Annual “development dollars” to support our people growth and development