Senior Expert, DevSecOps Engineering (m/f/d)

About Redcare Pharmacy:

As Europe’s leading online pharmacy, Redcare Pharmacy is driven by our dedicated teams and cutting-edge innovation. We strive to create an enjoyable and collaborative working environment where every employee feels comfortable and is motivated to contribute to our vision: “Until every human has their health.” If you are looking for a meaningful career that aligns with your values, join our team and start your #Redcareer.

 

About the role: 

You’ll secure our Azure & Kubernetes Data & AI platform end-to-end—baking security into CI/CD, infrastructure, data, and ML workloads. You’ll use Azure DevOps or GitHub Actions, Terraform for policy-as-code guardrails, and Azure services like Key Vault, Entra ID (AAD), and Data Lake with least-privilege access. You’ll also work with Azure Policy, Microsoft Defender for Cloud, Microsoft Sentinel, and Kubernetes security features (RBAC, NetworkPolicies, Pod Security Standards, admission controllers). Experience with ACR image scanning (e.g., Defender, Trivy), OPA/Gatekeeper or Kyverno, CodeQL/Dependabot, Checkov/tfsec, and Databricks security (Unity Catalog, SCIM/AAD) is a plus.

Role scope & interfaces

• Act as the Functional Security Officer (FSO) for Data & AI / DevSecOps, serving as the primary interface to Redcare’s Security organization (CISO/InfoSec, SecOps, GRC/Risk, DPO).
• Contribute to and help evolve Redcare Group security standards (cloud, Kubernetes, CI/CD, ML/MLOps), reference architectures, and secure engineering patterns—and drive their adoption across Data & AI teams.

About your tasks:

• Build and maintain secure CI/CD pipelines (Azure DevOps or GitHub Actions): secrets hygiene, signed artifacts/SBOMs, SAST/DAST/container scanning, least-privilege service connections, and supply-chain hardening.
• Automate security in infrastructure with Terraform: enforce guardrails using policy-as-code (Azure Policy, OPA/Conftest) and continuous IaC scanning (Checkov/tfsec).
• Harden Kubernetes: implement RBAC, NetworkPolicies, Pod Security Standards, secret management, image signing/scanning, and admission policies (Gatekeeper/Kyverno).
• Protect cloud identities & data: manage Entra ID roles/Managed Identities, Key Vault, Private Link/NSGs, encryption at rest/in transit, and just-in-time/least-privilege access.
• Secure ML/MLOps: lock down Databricks (Unity Catalog permissions, secret scopes), MLflow/model registry, feature stores; add model artifact signing, provenance, and runtime isolation for training/serving.
• Monitoring, logging & response: wire platform and security telemetry to Microsoft Sentinel/Defender, define alerts/runbooks, and support incident response and tabletop exercises.
• CVE & vulnerability management: maintain and publish SBOMs; continuously scan for vulnerabilities; triage CVEs (e.g., CVSS scoring + exploitability context), coordinate mitigations/patches, track exposure windows and SLAs, verify remediation, and report metrics to SecOps/GRC.
• Concepts & architecture: draft and maintain reference architectures, trust-boundary diagrams, data-classification schemes, environment isolation patterns, secure secret/key management patterns, and network segmentation for AI services.
• Compliance & assurance: contribute to risk assessments and threat modeling (incl. AI-specific risks: prompt injection, data exfiltration, model theft), support DPIAs, vendor/third-party risk reviews, penetration tests, control testing, evidence collection, and audit readiness for ISO 27001, GDPR, and EU AI Act/NIS2 where applicable.
• Governance: maintain security baselines and exceptions, own platform security KPIs, ensure retention policies, access reviews, and end-to-end audit trails (code → data → model → deployment).

 

About you:

• Experience as a DevSecOps / Cloud Security Engineer (or DevOps with strong security focus) in Azure and Kubernetes environments.
• Hands-on with Azure DevOps/GitHub Actions; comfortable automating guardrails and checks in pipelines.
• Working knowledge of Azure security (Entra ID, Key Vault, Azure Policy, Defender for Cloud, Sentinel) and Kubernetes security.
• Familiar with vulnerability management & CVEs (SBOM creation, dependency/container/IaC scanning, triage/prioritization, remediation workflows, SLA tracking).
• Understanding of Data & AI/ML security: Databricks (Unity Catalog, SCIM/AAD), MLflow/model registry, secrets, data governance, and privacy-by-design.
• Comfortable interfacing with central Security and compliance teams, contributing to audits and group standards, and translating requirements into practical controls.
• A shift-left mindset: you collaborate across teams, codify controls, and enjoy solving real-world security challenges in cloud-based Data & AI platform.

About your benefits:

In order to provide our employees with the best possible support for their individual needs, we offer a wide range of benefits:

• Work from Home: If your job does not require you to be present in the office, we can arrange the place you work from individually - even for up to 20 days a year anywhere in the EU.
• Redcare events: We promote teambuilding through creative team events, and celebrate our successes together at regularly scheduled parties.
• Kindergarten Grant: We offer our employees who pay for childcare in kindergarten 100,00 € (total) per month.
• Mental Health: Get quick and professional help from psychologists if you feel overwhelmed in private or professional life. Anonymous and free of charge.
• Personal Development: We are all constantly learning. That's why we support and foster your career development through internal & external training and help you grow.
• Mobility: Your commute matters to us. We provide our employees with a fully costed Deutschland Ticket which can be used at any time.
• Sports & Health: Your well-being is our top priority. Therefore, we offer you a range of opportunities to improve your health. Profit from a membership (M) package at Urban Sports Club, providing a variety of sports offers tailored to your interests.