DevSecOps Lead (Shift-Left Security) Velocity
**Company**: Velocity
**Location**: Gurgaon, India (Hybrid: 3 days/week in office)
**Job Type**: Full-time
**Experience Level**: 6-10 years
**Apply To**: `devops-hiring@velocity.in`
**Posting Date**: June 23, 2025
**Listing ID**: VEL-DSECOPS-2025-GGN
**Compensation**: ₹25-40 LPA + 0.01-0.05% ESOP + Performance Bonus
---
### 
**About the Role**
Lead security-first DevOps for India's fastest-growing revenue-based financing platform. Protect ₹500M+ daily transactions by building "secure-by-default" cloud infrastructure and implementing shift-left security across AWS/GCP environments. You'll report directly to the CTO and mentor a team of 5 cloud engineers.
---
### 
**Key Responsibilities**
| **Security Domain** | **Technical Actions** |
|---------------------------|-
| **Shift-Left Security** | Embed security scans in CI/CD (SAST/DAST/SCA) using GitLab Ultimate |
| **SBOM Management** | Build automated SBOM pipeline with Syft/Grype + vulnerability correlation |
| **IaC Security** | Implement Checkov/Terrascan for Terraform templates (block high-risk commits) |
| **Cloud Security Posture** | Enforce CIS benchmarks via AWS Security Hub + GCP Security Command Center |
| **Secrets Management** | Migrate to HashiCorp Vault + automated rotation (AWS Secrets Manager fallback) |
| **Incident Response** | Conduct purple team exercises; maintain SOAR playbooks for fintech threats |
---
### 
**Technical Stack & Requirements**
**Core Technologies**:
- **Cloud**: AWS (EC2, Lambda, RDS), GCP (GKE, Cloud SQL)
- **Containers**: EKS/GKE, Docker, Falco for runtime security
- **Security Tools**: Wazuh, Trivy, OPA, CloudSploit
- **CI/CD**: GitLab CI (Ultimate), Argo CD for GitOps
- **Languages**: Python (Boto3), Go (for custom tooling)
**Mandatory Skills**:
- 6+ years securing cloud-native fintech/banking systems
- Expertise in SBOM generation/dependency tracking
- Certified DevSecOps Professional (CDP) or CSSLP
- PCI-DSS/SOC 2 compliance implementation
- Threat modeling for microservices architectures
---
### 
**Innovation Projects**
1. **"Hack Thursdays"**:
- 20% time to build custom security tools (e.g., AI-powered IaC scanner)
- Quarterly innovation grants up to ₹10L for open-source contributions
2. **Zero Trust Implementation**:
- Migrate from VPN to BeyondCorp-style access using Tailscale
3. **Quantum-Readiness**:
- Experiment with lattice-based cryptography in payment flows
---
### 
**Why Join Velocity?**
**Impact**:
- Protect 5,000+ SME transactions daily
- Reduce security incidents by ≥60% in Year 1
**Compensation & Perks**:
- ESOP grants (4-year vesting)
- ₹3L/year security certification budget (OffSec, SANS)
- "Security Champion" bonus (₹50K/month for critical CVE finds)
- Family cybersecurity insurance (up to ₹50L coverage)
**Culture**:
- Direct access to founders (ex-Google/Stripe engineers)
- Monthly threat-hunting workshops with Razorpay/Stripe experts
- Flexible "security response" WFH days
---
### 
**Qualifications**
```markdown
**Must Have**:
- Built SBOM pipelines for production systems
- Secured Kubernetes in multi-cloud environments
- Led PCI-DSS audits for fintech companies
- Public bug bounty program contributions
**Preferred**:
- OSCP/OSWE certification
- Fintech fraud detection experience
- Contributions to OWASP projects
- Experience with Web3/blockchain security
```
---
### 
**Application Process**
1. **Technical Challenge**:
- Complete take-home task: [Security Lab Environment](https://velocity.
- Fix critical vulnerabilities in sample fintech stack
2. **Interview Process**:
- Architecture review → Threat modeling exercise → Culture fit
3. **Apply**:
- Email solutions to `devops-hiring@velocity.in` with subject:
*"DevSecOps Submission [VEL-DSECOPS-2025-GGN] - [Your Name]"*
- Include:
- GitHub profile
- SBOM case study
- 1-page threat model for payment gateway
---
### 
**About Velocity**
Series C fintech startup ($300M valuation) providing revenue-based financing to Indian D2C brands.
- **Tech Highlights**:
- Processed ₹8,000Cr+ in transactions
- Zero security breaches since 2021
- Tech stack: Go, PostgreSQL, Kafka, AWS/GCP
- **Funding**: Backed by Sequoia & Elevation Capital
---
**
Disclaimer**: *Job requires background check and NDA signing. www.clouddevopsjobs.com is an independent platform.*
