What Does a DevSecOps Engineer Do?
DevSecOps is a culture
that results from expanding responsibility for security
to organizational functions,
especially development and operations.
As a model in cybersecurity,
it contemplates people,
policies,
processes
and technologies.
In this blog post,
we will talk
about the individuals that lead the
implementation of the DevSecOps culture and mindset:
DevSecOps engineers.
What is a DevSecOps engineer?
DevSecOps engineers are the professionals
responsible for
bringing development,
security
and operations together
to enhance the security stance of the organization.
They monitor
and automate security processes and test systems.
This results in the protection of data
and information technology (IT) infrastructure.
Much like
individuals in other IT security roles,
a DevSecOps engineer has knowledge of cybersecurity software
and DevSecOps best practices.
The latter include enabling collaboration
and conducting risk assessments and threat modeling.
This DevSecOps specialist promotes cybersecurity awareness
and is there to empower the rest of the team
to generate the most value in the shortest possible time.
In the process,
they ask themselves the following questions:
-
How can I ensure
that developers deploy the system into production
without them having to wait for anyone? -
How can I ensure
that each release to production does not have bugs
that we have already found in the past (i.e., continuous improvement)? -
Which architecture in a solution is the simplest,
so that developers can easily understand and extend it?
The idea of having DevSecOps engineers is to help train every developer
to be a security developer.
That is,
instead of having hyper-specialized roles
(e.g., back-end dev,
front-end dev,
infrastructure dev),
developers have a single,
fully capable one.
So they learn to program a bit of everything
(front-end,
back-end,
infrastructure,
CI/CD,
etc.)
and work throughout the whole project,
from design to test and deployment into production.
What are the skills of a DevSecOps engineer?
Teamwork and communication skills
are no doubt something that DevSecOps engineers can’t do without.
Indeed,
in order to integrate security into DevOps
(i.e., promoting a secure development process),
they have to work with others efficiently.
Also,
they must be able to communicate their knowledge of threats clearly
to both their peers and employers.
This means they often need to express ideas in a more simple way
and still manage to get the point across.
These experts are familiar with the architecture of applications.
They are thus qualified to communicate with the team
if they find vulnerabilities in the design
and instruct the team on how to fix them.
This way,
they empower all developers to be security developers.
It should come as no surprise
that DevSecOps engineers often prove
to have a great deal of proficiency
in programming.
They have to be able to sit down with DevOps engineers (program developers)
to work out the solution
to a vulnerability reported in the organization’s system.
Some of the languages
DevSecOps engineers know
are Bash,
Java,
JavaScript,
Perl,
PHP,
Python
and Ruby.
They often have experience with CI/CD tools.
These include Chef,
CircleCI,
GitLab CI/CD,
Jenkins,
Puppet
and Spinnaker.
Other developer tools they often know their way around
are
Kubernetes,
Docker
and Amazon Web Services (AWS).
As we said here
and,
more extensively,
here,
automated security checks,
within the general process automation logic,
are a part of the DevSecOps best practices.
Then,
DevSecOps engineers often have
a good understanding of automated application security testing tools
used along with manual security testing.
For example,
static application security testing (SAST)
and dynamic application security testing (DAST)
can be done both with automatic tools and manually.
The expert must know
how to choose and deploy
these tests appropriately.
When using these tests
throughout the entire software development lifecycle (SDLC),
they become part of your DevSecOps tools,
so to speak.
Keep in mind,
though,
that at Fluid Attacks
we know
automated tools generate reports with high rates of false positives
and false negatives.
Therefore,
although we encourage teams to automate tools and processes,
we see the highest value in manual security testing
and see performing continuous penetration tests
as one of the DevSecOps best practices.
It follows that it does not do
to have just regular penetration tests,
applied only eventually.
When tests are done continually,
a remediation culture is effectively maintained.
Lastly,
a DevSecOps engineer should
know how to conduct risk assessments.
They must have rigorous processes to test the security
of the organization’s system
and analyze its risk exposure
in continuous,
not just regular security audits.
To do this effectively,
they must be up to date
with DevOps culture and principles,
cybersecurity threats,
software
and best practices.
DevSecOps engineer’s responsibilities in organizations
The skills listed above can give you a pretty good idea
of what DevSecOps engineers are asked to do.
They use their experience
to assess the security of their organization’s systems.
They make sure to do this all the time.
When they find a vulnerability during development,
they work along with others to fix it asap.
In this regard,
they need to be able to present these security issues
and the solutions they come up with to a varied audience.
But they are also expected to anticipate threats
and add countermeasures
to prevent them.
As a result,
they keep the organization’s digital assets safe.
It has been said that,
DevSecOps engineers often have to work in collaboration
“with colleagues who are skeptical or uninformed about [their] role.”
This may be because they are challenged
by the organization’s transition from DevOps to DevSecOps.
Teams may feel put out
with the idea of security maybe being an obstacle
to fast integration and deployment.
DevSecOps engineers are then needed to,
drawing on their knowledge,
educate how best practices,
like code review,
auditing code dependencies
and breaking the build,
improve the overall results
and help comply with security standards.
Top DevSecOps companies are able to ingrain
security in their development and operations processes
without sacrificing speed.
DevSecOps roles and DevSecOps engineers
Within organizations,
it is possible to have different DevSecOps job roles.
One is designed for people
with experience automating infrastructure deployments (e.g., cloud engineers).
They make it possible for the developers
to concentrate on building the product
with a pretty basic knowledge of the infrastructure that supports it.
There is another job role for people with experience
designing and implementing security testing tools
and integrating them into pipelines (e.g., CI/CD engineers).
They hand over the CI/CD framework to the developers
so that they can program all the tests that they find necessary.
And yet another job role is for people
who work along with the development team
to review,
triage
and close vulnerabilities (e.g., security champions).
From what we’ve said so far,
it can be argued
that a DevSecOps engineer’s role covers all three.
How to become a DevSecOps engineer
If you wish to become one
or just want to know
what credentials you should look for in someone’s resumé,
some sites report the degrees that DevSecOps engineers often hold.
These include tech-related fields
like computer science or computer engineering.
However,
a degree in math is also mentioned as an option.
Some skills listed above can be self-taught.
That is the case for proficiency in programming languages or development tools.
Others,
like those necessarily involving collaboration,
can be nurtured in formal employment
or through an internship.
In fact,
it has been advised
that prospective DevSecOps engineers work first in a non-DevOps IT position
before getting into DevOps
and then into DevSecOps.
It’s also advised to enroll in courses
that teach DevOps principles and how to build applications securely.
For example,
prospective DevSecOps engineers would benefit a lot
from taking secure coding courses.
Yet another step
to get fit for the role of DevSecOps engineer is to become certified.
We’ll get to a list of certifications in a moment.
A prospective DevSecOps engineer should first think of training
and acquiring knowledge.
These are some of the advised security certification courses:
DevSecOps Certified Professional (DSOCP),
Certified Cyber Security Expert (CCSE),
Certified Information Security Manager (CISM),
Certified Information Systems Auditor (CISA)
and Cisco Certified Network Associate (CCNA).
What are a DevSecOps engineer’s certifications?
Certifications help you stand out from other candidates
when you apply for a job.
But they also can be pursued out of love for the challenge.
Indeed,
they put a candidate’s patience
and stamina to the test.
To show you are right for the role of DevSecOps engineer,
it is advisable
to get certified by the DevOps Institute
with certifications like DevOps Foundation,
DevSecOps Engineering (DSOE)
and
DevOps Leader.
The Certified DevSecOps Professional
certification
from Practical DevSecOps is also recommended.
It has also been advised to get practical certifications
issued by Cisco,
CompTIA and Microsoft,
as well as the Certified Ethical Hacker (CEH)
certification.
Other related certifications
are Certified Secure Software Lifecycle Professional,
GIAC (Global Information Assurance Certification)
Mobile Device Security Analyst
and ISO 27001.
How DevSecOps engineers leverage Continuous Hacking
As mentioned above,
security has been considered a stopper for development.
Traditionally,
security teams audited applications
and decided on their going into production.
Continuous Hacking,
our solution that performs security testing throughout the entire SDLC,
was designed having two principles in mind:
-
Going into production should not be halted by any ongoing manual process:
Developers should not have to wait for anybody
to deploy the system into production. -
Developers should go first,
building functionality into applications,
and the security team (i.e., hackers)
should follow,
testing and reporting.
This way,
DevSecOps engineers
and security developers are able to manage application security
in a continuous manner
(in DevOps everything must be continuous,
anything in large phases is very slow
when you go into production about 70 times a day)
without stopping the generation of value.
Do you want to know more about DevSecOps?
At Fluid Attacks,
we help enterprises integrate security into DevOps
from the very beginning of the software development lifecycle.
Our DevSecOps solution is fueled
by our most trusted method: ethical hacking.
This method
comprises the manual use of different tools
(e.g., SAST,
DAST,
SCA).
It allows us to detect the most intricate and severe vulnerabilities.
Additionally,
our solution offers an automated DevSecOps agent,
which functionality is to break the build.
This is a security measure
that can be set up in a CI/CD environment
to prevent any software author
from deploying a system with open vulnerabilities to production.
As a result,
enterprises can achieve high remediation rates
and enhance the security of every commit.
Do you want to know more about our DevSecOps solution?
Contact us by filling out the form below.
We are happy to answer all your DevSecOps questions.
Also,
be sure to check out our DevSecOps workshop.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/what-does-a-devsecops-engineer-do/
