Senior DevSecOps Engineer (CANADA only)
Berkeley Payment SolutionsThis is a remote position.
About Us
Berkeley Payment Solutions is a leading payment technology provider specializing in innovative solutions for businesses to manage and process payments seamlessly.
Role Overview
Candidates must be located in Canada for this role.
The Lead Security / DevSecOps Engineer will strengthen and maintain the company's security posture through secure development practices, infrastructure security controls, and DevSecOps principles. This hands-on role bridges software engineering, operations, and cybersecurityâensuring security is integrated across the entire development lifecycle. The role involves leading secure CI/CD pipelines, cloud infrastructure hardening, automated threat detection, and compliance enforcement in direct collaboration with engineering, DevOps, and product teams.
Our Technology Stack
Berkeley operates a cloud-native, Kubernetes-first platform on AWS. You will work directly with:
⢠IaC: Terraform 1.5+ (tf-environments, tf-shared-modules with 29+ reusable modules)
⢠Compute & Orchestration: Amazon EKS 1.28+, Karpenter v1.0.10+, Helm (25+ charts), Docker
⢠GitOps & CI/CD: ArgoCD (App-of-Apps), GitHub Actions, AWS CodeBuild, ECR, OIDC IAM roles
⢠Networking & Edge: Transit Gateway (hub-and-spoke), VPC multi-account, CloudFront, HAProxy Ingress
⢠Security: AWS WAF (JA3/JA4, OWASP rules), GuardDuty (9 accounts), IAM Identity Center, JumpCloud SAML, Secrets Manager, External Secrets Operator
⢠Data & Storage: Aurora Serverless v2 (PostgreSQL 14.17, MySQL 8.0), DynamoDB, ElastiCache Redis, S3
⢠Observability: Prometheus, Grafana, Loki Distributed, Promtail, AlertManager, PagerDuty
⢠Data Workflows: Argo Workflows, Spark Operator, Jupyter, 56+ scheduled jobs
⢠Applications: Elixir/Phoenix, Go, NestJS, React, RabbitMQ, SQS
⢠AI Operations: Claude Code for DevOps automation, IaC generation, and operational workflows
⢠Compliance: PCI-DSS, SOC 2 Type I/II, GDPR
⢠AWS Accounts: Multi-account strategy â Root, Dev, Staging, Production, CAMS Production
Requirements
1. Security Engineering & DevSecOps Implementation
⢠Design and implement security controls across CI/CD pipelines (GitHub Actions, CodeBuild), Terraform IaC, and deployment workflows (ArgoCD, Helm charts).
⢠Integrate automated security scanning (SAST, DAST, dependency scanning, container image scanning) into CI/CD to detect vulnerabilities early.
⢠Harden EKS/Kubernetes, Docker, and AWS environments with best-practice configurations, Karpenter node policies, and Kubernetes security policies.
⢠Enforce least-privilege access and secrets management via AWS Secrets Manager and External Secrets Operator across all environments.
⢠Automate security and compliance tasks using Claude Code for IaC generation, infrastructure scripting, and security workflows.
⢠Manage SSL/TLS certificate renewals, CSP enforcement, and AWS WAF rules (JA3/JA4 fingerprinting, OWASP rule sets) protecting CloudFront edge infrastructure.
2. Real-Time Security Monitoring & Incident Response
⢠Deploy and manage GuardDuty (9 accounts), Security Hub, and the Grafana-Loki-Prometheus stack to detect and respond to threats in real time.
⢠Develop and execute incident response playbooks, coordinating alerts through AlertManager, PagerDuty, and Slack.
⢠Configure alerting for unauthorized access, configuration drift, and anomalous behavior across the multi-account AWS environment.
⢠Analyze logs and telemetry from Grafana, Loki, Promtail, and Prometheus; monitor VPC Flow Logs, Transit Gateway traffic, and CloudFront access logs for anomalies.
3. Governance, Risk, & Compliance (GRC)
⢠Lead compliance efforts for SOC 2 Type I/II, PCI-DSS, and GDPR, including automated enforcement and evidence collection within CI/CD and Terraform.
⢠Perform security risk assessments, gap analyses, and audits across all AWS accounts (Root, Dev, Staging, Production, CAMS).
⢠Collaborate with legal, compliance, and auditing stakeholders; conduct vendor and third-party risk assessments.
⢠Maintain centralized compliance documentation for frameworks, control implementations, and audit activities.
4. Secure Architecture & Infrastructure Reviews
⢠Lead threat modeling and architecture reviews for services across Elixir/Phoenix, Go, NestJS, and React stacks.
⢠Define and enforce baseline security configurations (hardened AMIs, K8s security policies, Karpenter NodePool constraints, Security Groups).
⢠Conduct security reviews for Aurora Serverless v2 databases, message queues (RabbitMQ, SQS), and caching layers (ElastiCache Redis).
5. Senior DevOps Engineering & Platform Reliability
⢠Manage scalable infrastructure on AWS via Terraform (29+ shared modules), ArgoCD, and EKS across dev/stage/prod accounts.
⢠Build and maintain secure CI/CD pipelines using GitHub Actions and CodeBuild with ECR image management.
⢠Operate Kubernetes environments using Karpenter for intelligent node provisioning; oversee the Prometheus-Grafana-Loki-Promtail observability stack.
⢠Manage database infrastructure (Aurora Serverless v2, DynamoDB, ElastiCache), Transit Gateway networking, and CloudFront edge configurations.
⢠Implement and monitor SLOs, SLAs, and error budgets in collaboration with product and engineering.
6. AI-Assisted DevOps & Automation
⢠Leverage Claude Code for Terraform module development, Helm chart authoring, Kubernetes troubleshooting, and security policy generation.
⢠Use Claude Code to accelerate incident investigation, generate runbooks, and produce IaC patches.
⢠Build Claude Code-driven automation for certificate rotation, compliance checks, and environment provisioning.
⢠Evaluate AI-assisted tooling for the DevSecOps pipeline; mentor team members on effective Claude Code usage.
7. Security Culture & Engineering Enablement
⢠Conduct security training tailored to engineers, product managers, and DevOps teams.
⢠Embed a DevSecOps-first mindset from ideation to deployment; facilitate post-incident reviews and drive remediation.
⢠Mentor team members on security practices, cloud infrastructure, Kubernetes operations, and observability.
8. Documentation & Knowledge Sharing
⢠Maintain documentation for security standards, tooling, infrastructure configuration, and response procedures.
⢠Build a security and DevOps knowledge base aligned with existing architecture documentation.
⢠Track and report KPIs for system security, infrastructure reliability, and compliance maturity.
Qualifications
⢠5+ years in DevOps, SRE, or Security Engineering with hands-on cloud infrastructure experience.
⢠Deep expertise with AWS (EKS, IAM, GuardDuty, WAF, Secrets Manager, Transit Gateway, CloudFront, Aurora, S3, DynamoDB, ElastiCache).
⢠Strong Kubernetes (EKS), Helm, ArgoCD, and container security experience.
⢠Proficiency in Terraform IaC, including module development and multi-environment management.
⢠Experience building and securing CI/CD pipelines with GitHub Actions and/or CodeBuild.
⢠Solid understanding of PCI-DSS, SOC 2, and/or GDPR compliance frameworks.
⢠Experience with observability stacks (Prometheus, Grafana, Loki) and incident response tooling (PagerDuty, AlertManager).
⢠Strong scripting skills (Bash, Python, or Go).
Preferred
⢠Experience with Karpenter, HAProxy Ingress, or External Secrets Operator in Kubernetes.
⢠Experience securing Elixir/Phoenix, Go, or NestJS application stacks.
⢠Experience with Claude Code for infrastructure automation and operational scripting.
⢠Hands-on experience with Argo Workflows, Spark Operator, or data pipeline security.
⢠Experience with JumpCloud or similar identity providers for SAML/SSO.
⢠Background in payment technology, financial services, or PCI-compliant environments.