The popularity and success of DevOps means it’s now an increasingly common feature in IT job descriptions.
One of the most important roles within DevOps, however, is the Security Engineer or DevSecOps Engineer. This deeply rewarding career requires a specific technical skill set, current knowledge of cybersecurity trends and a decent amount of experience.
Perhaps the best thing about this role is that demand is rising. You’ll find the need for such engineers is sky-high right now and will continue to rise as cyberattacks grow in frequency and sophistication.
What Does Being a DevSecOps Engineer Involve?
The work of a DevSecOps Engineer is like many other IT security professional roles. Both use a variety of best practice tools and methods such as cybersecurity software, threat modelling and risk assessments to detect and analyze threats.
However, in keeping with DevOps practices, there are some key differences when compared to a typical IT security role.
On DevOps projects, security isn’t an afterthought but is built into the software while it is being created, by using secure coding. During development, the software is attacked to find vulnerabilities, as opposed to running scans once it has been created.
Collaboration is a core practice of DevOps, and therefore DevSecOps roles work alongside DevOps Engineers to ensure that security vulnerabilities are assessed and fixed during development. Automation tools to detect vulnerabilities play a key role, so DevSecOps need a good understanding of such toolsets.
Knowledge of threats is shared with the whole team, instead of keeping it within the Ops silo team. Therefore, DevSecOps Engineers require great communication skills.
What Skills Are Required?
DevSecOps Engineers require a broad set of skills. They need the technical skill set of an IT security professional, as well as knowledge of the DevOps approach. They’ll also need a passion for cybersecurity, with sound awareness of the latest threats and trends. These are the main skills required:
- Knowledge of the DevOps culture and principles.
- An understanding of programming languages such as Ruby, Perl, Java, Python and PHP.
- Strong teamwork and communication skills.
- Knowledge of threat modelling and risk assessment techniques.
- Up-to-date knowledge of cybersecurity threats, current best practices and latest software.
- An understanding of programs such as Puppet, Chef, ThreatModeler, Checkmarx, Immunio and Aqua. They may also need to know Kubernetes, Docker or AWS.
Such skills can be acquired on the job, either in formal employment or through an internship or work placement. You can also take courses to learn DevOps principles, programming languages or automation tools. Of course, you can also teach yourself such languages and tools, as many IT engineers tend to do.
What About Experience and Qualifications?
Many DevSecOps Engineers have experience in a non-DevOps IT security role. If you have no experience as an IT security professional, it is recommended you start there first before getting into DevSecOps.
Starting a career in IT security generally requires a degree in computer science, cybersecurity, math, engineering or science. It is then recommended you gain experience on an internship or graduate placement. You can also enter the field without a degree by gaining practical industry standard certification, such as that offered by Microsoft, CompTIA, Cisco or Certified Ethical Hacker (CEH).
Making the move into DevOps requires IT security experience, and you’ll need to gain knowledge of the languages and automation software commonly used on DevOps projects. It is also advised that you gain accredited DevOps qualifications from the DevOps Institute, specifically the DevOps Foundation and DevSecOps Engineering (DSOE) qualifications. These will equip you with a solid understanding of DevOps principles and DevSecOps methods.
Summary
You might think DevOps or DevSecOps are just trendy words for developers, operations and security teams who work closely together. But this is wrong. There is so much more to DevOps than that. Ask Netflix, Amazon or Sony—all hugely successful companies that use DevOps culture to get things done.
DevSecOps is a crucial part of DevOps, especially given the current cyberattack climate. As the need for such individuals grows, so will the job openings. If you have security experience and want to boost your career or are thinking about which degree and career path to take, keep DevSecOps in mind.