Photo by Jeff Lemond on Unsplash

What Does a DevSecOps Engineer Do?

Learn with Fluid Attacks about this professional path

DevSecOps is a culture that results from expanding responsibility for security to organizational functions, especially development and operations. As a model in cybersecurity, it contemplates people, policies, processes and technologies. In this blog post, we will talk about the individuals that lead the implementation of the DevSecOps culture and mindset: DevSecOps engineers.

What is a DevSecOps engineer?

DevSecOps engineers are the professionals responsible for bringing development, security and operations together to enhance the security stance of the organization. They monitor and automate security processes and test systems. This results in the protection of data and information technology (IT) infrastructure. Much like individuals in other IT security roles, a DevSecOps engineer is familiar with cybersecurity software and DevSecOps best practices such as conducting risk assessments and threat modeling.

This DevSecOps specialist promotes cybersecurity awareness and is there to empower the rest of the team to generate the greatest value in the shortest possible time. In the process, they ask themselves the following questions:

  • How can I ensure that developers deploy the system into production without them having to wait for anyone?

  • How can I ensure that each release to production does not have bugs that we have already found in the past (i.e., continuous improvement)?

  • Which architecture in a solution is the simplest, so that developers can easily understand and extend it?

The idea of having DevSecOps engineers is to help train every developer to be a security developer. That is, instead of having hyper-specialized roles (e.g., back-end dev, front-end dev, infrastructure dev), developers have a single, fully capable one. So they learn to program a bit of everything (front-end, back-end, infrastructure, CI/CD, etc.) and work throughout the whole project, from design to test and deployment into production.

What are the skills of a DevSecOps engineer?

Teamwork and communication skills are no doubt something that DevSecOps engineers can't do without. Indeed, in order to integrate security into DevOps (i.e., promoting a secure development process), they have to work with others efficiently. Also, they must be able to communicate their knowledge of threats clearly to both their peers and employers. This means they often need to express ideas in a more simple way and still manage to get the point across.

These experts are familiar with the architecture of applications. They are thus qualified to communicate with the team if they find vulnerabilities in the design and instruct the team on how to fix them. This way, they empower all developers to be security developers.

It should come as no surprise that DevSecOps engineers often prove to have a great deal of proficiency in programming. They have to be able to sit down with DevOps engineers (program developers) to work out the solution to a vulnerability reported in the organization's system. Some of the languages DevSecOps engineers know are Bash, Java, JavaScript, Perl, PHP, Python and Ruby.

They often have experience with CI/CD tools. These include Chef, CircleCI, GitLab CI/CD, Jenkins, Puppet and Spinnaker. Other developer tools they often know their way around are Kubernetes, Docker and Amazon Web Services (AWS).

As we said here and, more extensively, here, automated security checks, within the general process automation logic, are a part of the DevSecOps best practices. Then, DevSecOps engineers often have a good understanding of automated application security testing tools used along with manual security testing. For example, static application security testing (SAST) and dynamic application security testing (DAST) can be done both with automatic tools and manually. The expert must know how to choose and deploy these tests appropriately.

When using these tests throughout the entire software development lifecycle (SDLC), they become part of your DevSecOps tools, so to speak. Keep in mind, though, that at Fluid Attacks we know automated tools generate reports with high rates of false positives and false negatives. Therefore, although we encourage teams to automate tools and processes, we see the highest value in manual security testing and see performing continuous penetration tests as one of the DevSecOps best practices. It follows that it does not do to have just regular penetration tests, applied only eventually. When tests are done continually, a remediation culture is effectively maintained.

Lastly, a DevSecOps engineer should know how to conduct risk assessments. They must have rigorous processes to test the security of the organization's system and analyze its risk exposure in continuous, not just regular security audits. To do this effectively, they must be up to date with DevOps culture and principles, cybersecurity threats, software and best practices.

DevSecOps engineer's responsibilities in organizations

The skills listed above can give you a pretty good idea of what DevSecOps engineers are asked to do. They use their experience to assess the security of their organization's systems. They make sure to do this all the time. When they find a vulnerability during development, they work along with others to fix it asap. In this regard, they need to be able to present these security issues and the solutions they come up with to a varied audience. But they are also expected to anticipate threats and add countermeasures to prevent them. As a result, they keep the organization's digital assets safe.

It has been said that, DevSecOps engineers often have to work "with colleagues who are skeptical or uninformed about [their] role." This may be because they are challenged by the organization's transition from DevOps to DevSecOps. Teams may feel put out with the idea of security maybe being an obstacle to fast integration and deployment. DevSecOps engineers are then needed to educate how best practices, like code review, auditing code dependencies and breaking the build, improve the overall results and help comply with security standards. Top DevSecOps companies are able to ingrain security in their development and operations processes without sacrificing speed.

DevSecOps roles and DevSecOps engineers

Within organizations, it is possible to have different DevSecOps roles. One is designed for people with experience automating infrastructure deployments (e.g., cloud engineers). They make it possible for the developers to concentrate on building the product with a pretty basic knowledge of the infrastructure that supports it.

There is another role for people with experience designing and implementing security testing tools and integrating them into pipelines (e.g., CI/CD engineers). They hand over the CI/CD framework to the developers so that they can program all the tests that they find necessary.

And yet another role is for people who work along with the development team to review, triage and close vulnerabilities (e.g., security champions). From what we've said so far, it can be argued that a DevSecOps engineer's role covers all three.

How to become a DevSecOps engineer

If you wish to become one or just want to know what credentials you should look for in someone's resumé, some sites report the degrees that DevSecOps engineers often hold. These include tech-related fields like computer science or computer engineering. However, a degree in math is also mentioned as an option.

Some skills listed above can be self-taught. That is the case for proficiency in programming languages or development tools. Others can be nurtured in formal employment or through an internship. In fact, it has been advised that prospective DevSecOps engineers work first in a non-DevOps IT position before getting into DevOps and then into DevSecOps. It's also advised to enroll in courses that teach DevOps principles and how to build applications securely. For example, prospective DevSecOps engineers would benefit a lot from taking secure coding courses.

Yet another step is to become certified. We'll get to a list of certifications in a moment. A prospective DevSecOps engineer should think of training first. These are some of the advised security certification courses: DevSecOps Certified Professional (DSOCP), Certified Cyber Security Expert (CCSE), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and Cisco Certified Network Associate (CCNA).

What are a DevSecOps engineer's certifications?

Certifications help stand out from other candidates when you apply for a job. But they also can be pursued out of love for the challenge. Indeed, they put a candidate's patience and stamina to the test.

It is advisable to get certified by the DevOps Institute with certifications like DevOps Foundation, DevSecOps Engineering (DSOE) and DevOps Leader. The Certified DevSecOps Professional certification from Practical DevSecOps is also recommended. It has also been advised to get practical certifications issued by Cisco, CompTIA and Microsoft, as well as the Certified Ethical Hacker (CEH) certification. Other related certifications are Certified Secure Software Lifecycle Professional, GIAC (Global Information Assurance Certification) Mobile Device Security Analyst and ISO 27001.

How DevSecOps engineers leverage Continuous Hacking

As mentioned above, security has been considered a stopper for development. Traditionally, security teams audited applications and decided on their going into production. Continuous Hacking, our solution that performs security testing throughout the entire SDLC, was designed having two principles in mind:

  • Going into production should not be halted by any ongoing manual process: Developers should not have to wait for anybody to deploy the system into production.

  • Developers should go first, building functionality into applications, and the security team (i.e., hackers) should follow, testing and reporting.

This way, DevSecOps engineers and security developers are able to manage application security in a continuous manner (in DevOps everything must be continuous, anything in large phases is very slow when you go into production about 70 times a day) without stopping the generation of value.

Do you want to know more about DevSecOps?

At Fluid Attacks, we help enterprises integrate security into DevOps from the very beginning of the software development lifecycle. Our DevSecOps solution is fueled by our most trusted method: ethical hacking. This method comprises the manual use of different tools (e.g., SAST, DAST, SCA). It allows us to detect the most intricate and severe vulnerabilities. Additionally, our solution offers an automated DevSecOps agent, which functionality is to break the build. This is a security measure that can be set up in a CI/CD environment to prevent any software author from deploying a system with open vulnerabilities to production. As a result, enterprises can achieve high remediation rates and enhance the security of every commit. Do you want to know more about our DevSecOps solution? Contact us by filling out the form below. We are happy to answer all your DevSecOps questions. Also, be sure to check out our DevSecOps workshop.

Ready to try Continuous Hacking?

Discover the benefits of our comprehensive Continuous Hacking solution, which hundreds of organizations are already enjoying.

Internal CTA
Start free trial