What Does a DevSecOps Engineer Do?

DevSecOps is a culture that results from expanding responsibility for security to organizational functions, especially development and operations. As a model in cybersecurity, it contemplates people, policies, processes and technologies. In this blog post, we will talk about the individuals that lead the implementation of the DevSecOps culture and mindset: DevSecOps engineers.

DevSecOps engineers are the professionals responsible for bringing development, security and operations together to enhance the security stance of the organization. They monitor and automate security processes and test systems. This results in the protection of data and information technology (IT) infrastructure. Much like individuals in other IT security roles, a DevSecOps engineer has knowledge of cybersecurity software and DevSecOps best practices. The latter include enabling collaboration and conducting risk assessments and threat modeling.

The idea of having DevSecOps engineers is to help train every developer to be a security developer. That is, instead of having hyper-specialized roles (e.g., back-end dev, front-end dev, infrastructure dev), developers have a single, fully capable one. So they learn to program a bit of everything (front-end, back-end, infrastructure, CI/CD, etc.) and work throughout the whole project, from design to test and deployment into production.

Teamwork and communication skills are no doubt something that DevSecOps engineers can't do without. Indeed, in order to integrate security into DevOps (i.e., promoting a secure development process), they have to work with others efficiently. Also, they must be able to communicate their knowledge of threats clearly to both their peers and employers. This means they often need to express ideas in a more simple way and still manage to get the point across.

It should come as no surprise that DevSecOps engineers often prove to have a great deal of proficiency in programming. They have to be able to sit down with DevOps engineers (program developers) to work out the solution to a vulnerability reported in the organization's system. Some of the languages DevSecOps engineers know are Bash, Java, JavaScript, Perl, PHP, Python and Ruby.

They often have experience with CI/CD tools. These include Chef, CircleCI, GitLab CI/CD, Jenkins, Puppet and Spinnaker. Other developer tools they often know their way around are Kubernetes, Docker and Amazon Web Services (AWS).

As we said here and, more extensively, here, automated security checks, within the general process automation logic, are a part of the DevSecOps best practices. Then, DevSecOps engineers often have a good understanding of automated application security testing tools used along with manual security testing. For example, static application security testing (SAST) and dynamic application security testing (DAST) can be done both with automatic tools and manually. The expert must know how to choose and deploy these tests appropriately.

When using these tests throughout the entire software development lifecycle (SDLC), they become part of your DevSecOps tools, so to speak. Keep in mind, though, that at Fluid Attacks we know automated tools generate reports with high rates of false positives and false negatives. Therefore, although we encourage teams to automate tools and processes, we see the highest value in manual security testing and see performing continuous penetration tests as one of the DevSecOps best practices. It follows that it does not do to have just regular penetration tests, applied only eventually. When tests are done continually, a remediation culture is effectively maintained.

Lastly, a DevSecOps engineer should know how to conduct risk assessments. They must have rigorous processes to test the security of the organization's system and analyze its risk exposure in continuous, not just regular security audits. To do this effectively, they must be up to date with DevOps culture and principles, cybersecurity threats, software and best practices.

The skills listed above can give you a pretty good idea of what DevSecOps engineers are asked to do. They use their experience to assess the security of their organization's systems. They make sure to do this all the time. When they find a vulnerability during development, they work along with others to fix it asap. In this regard, they need to be able to present these security issues and the solutions they come up with to a varied audience. But they are also expected to anticipate threats and add countermeasures to prevent them. As a result, they keep the organization's digital assets safe.

It has been said that, DevSecOps engineers often have to work in collaboration "with colleagues who are skeptical or uninformed about [their] role." This may be because they are challenged by the organization's transition from DevOps to DevSecOps. Teams may feel put out with the idea of security maybe being an obstacle to fast integration and deployment. DevSecOps engineers are then needed to, drawing on their knowledge, educate how best practices, like code review, auditing code dependencies and breaking the build, improve the overall results and help comply with security standards. Top DevSecOps companies are able to ingrain security in their development and operations processes without sacrificing speed.

And yet another job role is for people who work along with the development team to review, triage and close vulnerabilities (e.g., security champions). From what we've said so far, it can be argued that a DevSecOps engineer's role covers all three.

If you wish to become one or just want to know what credentials you should look for in someone's resumé, some sites report the degrees that DevSecOps engineers often hold. These include tech-related fields like computer science or computer engineering. However, a degree in math is also mentioned as an option.

Some skills listed above can be self-taught. That is the case for proficiency in programming languages or development tools. Others, like those necessarily involving collaboration, can be nurtured in formal employment or through an internship. In fact, it has been advised that prospective DevSecOps engineers work first in a non-DevOps IT position before getting into DevOps and then into DevSecOps. It's also advised to enroll in courses that teach DevOps principles and how to build applications securely. For example, prospective DevSecOps engineers would benefit a lot from taking secure coding courses.

Yet another step to get fit for the role of DevSecOps engineer is to become certified. We'll get to a list of certifications in a moment. A prospective DevSecOps engineer should first think of training and acquiring knowledge. These are some of the advised security certification courses: DevSecOps Certified Professional (DSOCP), Certified Cyber Security Expert (CCSE), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and Cisco Certified Network Associate (CCNA).

To show you are right for the role of DevSecOps engineer, it is advisable to get certified by the DevOps Institute with certifications like DevOps Foundation, DevSecOps Engineering (DSOE) and DevOps Leader. The Certified DevSecOps Professional certification from Practical DevSecOps is also recommended. It has also been advised to get practical certifications issued by Cisco, CompTIA and Microsoft, as well as the Certified Ethical Hacker (CEH) certification. Other related certifications are Certified Secure Software Lifecycle Professional, GIAC (Global Information Assurance Certification) Mobile Device Security Analyst and ISO 27001.

As mentioned above, security has been considered a stopper for development. Traditionally, security teams audited applications and decided on their going into production. Continuous Hacking, our solution that performs security testing throughout the entire SDLC, was designed having two principles in mind:

Why are DevSecOps engineers important?

How is a cybersecurity engineer different from a DevSecOps engineer?

Is DevSecOps a good career choice?

What challenges do DevSecOps engineers face?

At Fluid Attacks, we help enterprises integrate security into DevOps from the very beginning of the software development lifecycle. Our DevSecOps solution is fueled by our most trusted method: ethical hacking. This method comprises the manual use of different tools (e.g., SAST, DAST, SCA). It allows us to detect the most intricate and severe vulnerabilities. Additionally, our solution offers an automated DevSecOps agent, which functionality is to break the build. This is a security measure that can be set up in a CI/CD environment to prevent any software author from deploying a system with open vulnerabilities to production. As a result, enterprises can achieve high remediation rates and enhance the security of every commit. Do you want to know more about our DevSecOps solution? Contact us. We are happy to answer all your DevSecOps questions. Also, be sure to check out our DevSecOps workshop.