Sergey Nivens - Fotolia
What it takes to be a DevSecOps engineer
To address security early in the application development process, DevSecOps requires a litany of skills and technology literacy. Learn what it takes to be a DevSecOps engineer.
Becoming an effective DevSecOps engineer requires a distinct set of skills and practical experience. DevSecOps engineers should have a deep understanding of how security impacts each stage of the development pipeline and the final product or service. Just as important is their ability to be team players with good communication skills.
It's certainly not a role for those who enjoy working in their own little silo. To identify gaps and embed security into DevOps processes often involves working with colleagues who are skeptical or uninformed about the role of the DevSecOps engineer. To win respect and cooperation requires a good knowledge of DevOps processes and principles -- not just the technical skill set of an IT security professional. The ideal DevSecOps engineer has involvement in and appreciation of every stage in the software project lifecycle, from initial design and build to rollout and maintenance. In a continuous integration/continuous delivery (CI/CD) environment, this entails working under pressure with critical task times.
In order to work successfully with DevOps teams, a DevSecOps engineer needs a thorough understanding of popular programming languages, like PHP, Java, JavaScript, Ruby and Python. Additional familiarity with popular CI/CD tools, such as Jenkins, GitLab CI/CD, CircleCI, Puppet, Chef and Spinnaker, is important. A DevSecOps candidate should be up to speed with Docker and Kubernetes, along with cloud hosting providers, like AWS and Microsoft -- depending on the tools and services the organization utilizes.
To provide security in DevSecOps, up-to-date knowledge of threat modeling, risk assessment techniques, code reviews, current best practices and the latest cybersecurity threats is essential. DevSecOps engineers choose and deploy the appropriate automated application security testing tools. It is their responsibility to make users aware of how to make the most of application security features.
Software projects have become a complex mixture of different moving parts -- both human and machine. Yes, knowledge and skills can be acquired on the job. But formal training, such as industry standard certification, is essential to obtain a practical understanding of DevOps principles and methods. Attain an accredited qualification or DevOps certification to stand out from a pool of engineer candidates. The DevOps Foundation certification and DevSecOps Engineering certification from the DevOps Institute or the Certified DevSecOps Professional certification from Practical DevSecOps are recommended. Other relevant qualifications include Certified Ethical Hacker, Certified Secure Software Lifecycle Professional, GIAC (Global Information Assurance Certification) Mobile Device Security Analyst and ISO 27001. Microsoft, AWS and Cisco also offer valuable certifications. If they are relevant to a DevSecOps project, it may be a wise way to become a better candidate for engineer. Additionally, the SANS Institute offers secure coding courses in .NET and Java/Java Enterprise Edition, which teach how to build applications securely and how to identify security shortfalls in other programmers.
At a company in the process of moving from DevOps to DevSecOps, a DevSecOps engineer's challenge is to convince potentially skeptical developers that security will not slow them down. To ensure developers understand that a security code review is a requirement of the code commit process requires diplomacy. Engineers need to demonstrate patience and the ability to explain how various checks and reviews will improve each developer's overall output. This can be a challenge. After all, the developer's primary focus is to run code as quickly as possible.
When developers acknowledge the benefits of finding weaknesses in their design or code early on, progress to a mature DevSecOps model should become easier. Metrics to measure how many issues are being detected and fixed prior to committing code are a great way to show how security can improve each team's overall workflow.
Once dev and ops teams consider the security impact of each design decision -- and developers in particular enjoy the challenge of building secure software just as much as creating new features -- then it's a job well done.