Principal Engineer, DevSecOps

About the role

DevSecOps Principal Engineer Key Duties: - Proven and demonstrable ability to lead at least two other team members in an official capacity towards specific DevSecOps outcomes. - Lead the DevSecOps team (two engineers) in daily execution, weekly syncs, and PI planning. Ensure stories are accurate, scoped, and deliverable. - Own and drive the DevSecOps roadmap across pipeline security, IaC policy enforcement, application security tooling, and cloud security posture management. - Embedding threat modeling into pipelines and workflows to provide real-time analysis of architectural changes in products. - Architect and maintain security gates in GitHub Actions CI/CD pipelines. Define when and how scans run, what blocks a merge, and how results route to developers. - Administer GitHub Advanced Security across the organization: CodeQL query suites, secret scanning policies, Dependabot configuration, and developer-facing campaign management. - Author and deploy Checkov custom policies for Terraform IaC scanning. Drive golden policy adoption from current 25% pipeline coverage toward 75%+ with hard-fail enforcement. - Operate and configure Palo Alto Prisma or Cortex (CNAPP) for cloud security posture, image scanning, and AppSec integration. - Manage Terraform-based infrastructure security across multi-account AWS environments using Control Tower, IAM, VPC, and Transit Gateway. - Integrate security tooling outputs into SIEM and SOAR for alerting, triage, and response workflows. - Mentor two mid-level engineers. Identify skills gaps, provide hands-on training, and review their work. - Collaborate with Security Governance to produce compliance evidence for PCI-DSS, NIST, and CIS controls derived from DevSecOps tooling. - Support acquisition security assessments by evaluating incoming technology stacks against Allegiant's IaC and pipeline security standards. - Define and enforce security governance for agentic AI tooling, including MCP server registries, gateway configurations, and trust policies for AI-to-tool interactions. - Document architecture decisions, policy rationale, and runbooks. Maintain documentation quality standards across the DevSecOps team. - Participate in SAFe Agile planning. Maintain strong Jira hygiene. Assist security leadership in backlog prioritization and capacity negotiation with product owners. Pipeline security engineering: Production experience building and maintaining security scanning stages in CI/CD pipelines. Must demonstrate pipelines they have built that run in production today, not proofs of concept. GitHub Actions is required. Application security tooling at scale: Hands-on administration of GitHub Advanced Security or equivalent (Snyk, Veracode, Checkmarx) in an organization with 50+ repositories. Must show evidence of driving developer adoption of scan results, not just enabling tools. Infrastructure-as-code policy: Experience writing and enforcing custom Checkov policies (or Bridgecrew, tfsec, Sentinel) against Terraform codebases. Must be able to describe policies they authored and the compliance or security outcomes those policies enforced. Cloud infrastructure security: Deep working knowledge of AWS security constructs: Control Tower, IAM (including ABAC patterns), VPC architecture, Transit Gateway, and multi-account strategies. Must have operated these in production, not just designed them. CNAPP operations: Expe