In the specialty of DevSecOps, demand for talent has outpaced supply. Many organizations have realized that the traditional siloed development structure is no longer adequate for maintaining application security in light of the ever-increasing pace of software development and delivery. To remedy this problem, many have started shifting security left – having developers run tests and fix security issues in their code.
As a result, DevSecOps, a function tasked with continuous AppSec testing throughout the DevOps pipeline, has become essential. However, this is a tough field to break into, and figuring out the right path can be challenging. With such a huge demand in the industry for DevSecOps expertise, those who are looking for new opportunities should understand the skills and qualifications needed for this emerging role.
[ Want a shareable primer on DevSecOps and its benefits? See What is DevSecOps? ]
Here are three strategies to help you get started in the DevSecOps field.
1. Plan a roadmap to get the right experiences and qualifications
Jobs in DevSecOps typically require a four-year college degree in computer science, engineering, or another relevant major. Candidates should also have some experience in AppSec, DevOps, or agile development. For more senior levels, candidates will need to be familiar with the secure software development lifecycle (SDLC), continuous integration and deployment (CI/CD) workflows, cloud technologies, different operating systems, containers, and security/industry standards (NIST, ISO, SOC2, etc.). Certifications such as GIAC Security Essentials (GSEC), CCSP, CISA, CISSP, and more can be beneficial, if not required.
These requirements can seem overwhelming for newcomers, so let’s break them down. Most DevSecOps positions are focused on people with about three to five years of experience. Getting relevant experience and familiarity with AppSec, CI/CD, specific public cloud services, and more can be gained on the job from roles in InfoSec, IT, or systems administration. Exposure to processes and tools can happen within any company; those with good implementations of DevOps will usually have some security practices incorporated even without the DevSecOps label.
While you can obtain most of the required skills and knowledge through other positions, it also helps to study, attend conferences and talks, and pursue personal projects and contributions. Earning a DevSecOps role doesn’t happen overnight – depending on where you are in your career, you may need to do some pivoting, so plan ahead and lay down a roadmap.
2. Showcase an ability to adopt new tools and methods
Automation is a major part of DevSecOps, and this requires the use of multiple software applications and tools. For example, companies use a variety of different application security testing tools (ASTs), which are essential to ensure that the code being used in development is safe and to prevent malicious packages from being introduced. These tools can be static (SAST), dynamic (DAST), and interactive (IAST) and they can also be from different vendors. Some may include automated vulnerability detection, prioritization, and even remediation capabilities that can address issues without requiring IT staff to spend much time researching vulnerabilities.
The lesson: Many different tools are used in DevSecOps, and these will likely change as new innovations are introduced. Stay informed and updated on industry trends, especially if you are early in your journey because the tools and needs of today might be very different in a few years’ time.
3. Demonstrate that you are a team player
The idea behind shifting left and DevSecOps is to break down the traditional separation between developers, security, and IT professionals. To create an SDLC, multiple teams must communicate and collaborate effectively. This means that in addition to the technical skills required for DevSecOps roles, soft skills such as communication, empathy, and cooperation are also important.
These are essential skills needed to prevent tension and conflict. For example, developers may not fully understand the security processes and requirements expected by security teams. Being able to find solutions, give and receive feedback, and mentor others are all desirable skills for DevSecOps professionals. It’s also a good idea to network with coworkers and peers; a strong recommendation can make a big difference in landing a new role.
Ready for a role in DevSecOps?
Cybersecurity knowledge and experience, especially in areas such as open source, are in high demand, and this will only increase in 2022. Now is the ideal time for students and entry-level engineers to be planning a career path in DevSecOps, or for others to transition into DevSecOps.
Since technology and processes will likely look different in a few years, it’s essential to stay on top of new trends, certifications, and developments in the industry (including relevant legislation). Remember that DevSecOps roles are highly collaborative, so strive to understand the needs of different stakeholders and build your professional network.
Keep these tips in mind and you can set the right course for your DevSecOps journey in the new year.
[ How do containers and Kubernetes help manage risk? Read also: A layered approach to container and Kubernetes security. ]