Photo by Jeff Lemond on Unsplash

What Does a DevSecOps Engineer Do?

Learn with Fluid Attacks about this professional path

DevSecOps is a methodology that results from expanding responsibility for security to organizational functions, especially development and operations. As a model in cybersecurity, it contemplates people, policies, processes and technologies. In this blog post, we will talk about the individuals that lead the enactment of this methodology: DevSecOps engineers.

What is a DevSecOps engineer?

DevSecOps engineers are the professionals responsible for bringing development, security and operations together to enhance the security stance of the organization. They monitor and automate security processes and test systems. This results in the protection of data and information technology (IT) infrastructure. Much like individuals in other IT security roles, DevSecOps engineers are familiar with cybersecurity software and best practices such as conducting risk assessments and threat modeling.

What are the skills of a DevSecOps engineer?

It should come as no surprise that DevSecOps engineers often prove to have a great deal of proficiency in programming. They have to be able to sit down with DevOps engineers (program developers) to work out the solution to a vulnerability reported in the organization's system. Some of the languages DevSecOps engineers know are Java, JavaScript, Perl, PHP, Python and Ruby.

They often have experience with CI/CD tools. These include Chef, CircleCI, GitLab CI/CD, Jenkins, Puppet and Spinnaker. Other developer tools they often know their way around are Kubernetes, Docker and Amazon Web Services (AWS).

As we said in a blog post, automated security checks are a part of the DevSecOps methodology. Then, DevSecOps engineers often have a good understanding of automated application security testing tools. For example SAST and DAST tools. These professionals must know how to choose and deploy these tools appropriately.

Another useful skill for a DevSecOps engineer is knowing how to conduct risk assessments. They must have rigorous processes to test the security of the organization's system and analyze its risk exposure. To do this effectively, they must be up to date with DevOps culture and principles, cybersecurity threats, software and best practices.

Lastly, teamwork and communication skills are no doubt something that they can't do without. Indeed, in order to integrate security into DevOps, they have to work with others efficiently. Also, they must be able to communicate their knowledge of threats clearly to both their peers and employers. This means they often need to express ideas in a more simple way and still manage to get the point across.

DevSecOps engineer's responsibilities in organizations

The skills listed above can give you a pretty good idea of what DevSecOps engineers are asked to do. They use their experience to assess the security of their organization's systems. They make sure to do this all the time. When they find a vulnerability during development, they work along with others to fix it asap. In this regard, they need to be able to present these security issues and the solutions they came up with to a varied audience. But they are also expected to anticipate threats and add countermeasures to prevent them. As a result, they keep the organization's digital assets safe.

It has been said that, DevSecOps engineers often have to work "with colleagues who are skeptical or uninformed about [their] role." This may be because they are challenged by the organization's transition from DevOps to DevSecOps. Teams may feel put out with the idea of security maybe being an obstacle to fast integration and deployment. DevSecOps engineers are then needed to educate how best practices like code review improve the overall results and help comply with security standards.

DevSecOps roles and DevSecOps engineers

Within organizations, it is possible to have different DevSecOps roles. As a piece of opinion (read it here) says, there seem to be three types. One is designed for people with experience automating infrastructure deployments (e.g., cloud engineers). Another role for people with experience "designing and implementing security testing tools and integrating those into pipelines." And yet another for people who work along with the development team to review, triage and close vulnerabilities (e.g., security champions). From what we've said so far, it can be argued that a DevSecOps engineer's role covers all three.

How to become a DevSecOps engineer

Whether you wish to become one or just want to know what credentials you should look for in someone's resumé, some sites report the degrees that DevSecOps engineers often hold. These include tech-related fields like computer science or computer engineering. However, a degree in math is also mentioned as an option.

Some skills listed above can be self-taught. That is the case for proficiency in programming languages or development tools. Others can be nurtured in formal employment or through an internship. In fact, it has been advised that prospective DevSecOps engineers work first in a non-DevOps IT position before getting into DevSecOps. It's also advised to enroll in courses that teach DevOps principles and how to build applications securely. For example, prospective DevSecOps engineers would profit a lot from taking secure coding courses.

Yet another step is to become certified. We'll get to a list of certifications in a moment. A prospective DevSecOps engineer should think of training first. These are some of the advised security certification courses: DevSecOps Certified Professional (DSOCP), Certified Cyber Security Expert (CCSE), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and Cisco Certified Network Associate (CCNA).

What are a DevSecOps engineer's certifications?

Certifications help stand out from other candidates when you apply for a job. But they also can be pursued out of love for the challenge. Indeed, they put a candidate's patience and stamina to the test.

It is advisable to get certified by the DevOps Institute with certifications like DevOps Foundation, DevSecOps Engineering (DSOE) and DevOps Leader. The Certified DevSecOps Professional certification from Practical DevSecOps is also recommended. It has also been advised to get practical certifications issued by Cisco, CompTIA and Microsoft, as well as the Certified Ethical Hacker (CEH) certification. Other related certifications are Certified Secure Software Lifecycle Professional, GIAC (Global Information Assurance Certification) Mobile Device Security Analyst and ISO 27001.

Do you want to know more about DevSecOps?

At Fluid Attacks, we help enterprises integrate security into DevOps from the very beginning of the software development lifecycle. Our DevSecOps solution is fueled by our most trusted method: ethical hacking. This method comprises the manual use of different tools (e.g., SAST, DAST, SCA). It allows us to detect the most intricate and severe vulnerabilities. Additionally, our solution offers an automated DevSecOps agent, which functionality is to break the build. This is a security measure that can be set up in a CI/CD environment to prevent any software author from deploying a system with open vulnerabilities to production. As a result, enterprises can achieve high remediation rates and enhance the security of every commit. Do you want to know more about our DevSecOps solution? Contact us.