Modern security organizations are moving closer to development, and increasingly integrating directly with development through continuous security and DevSecOps roles.
This combined skillset of security engineer and devops engineer, with enough programming knowledge to automate tasks and speak intelligently to development teams, is massively valuable in the marketplace.
With a technical security background, jumping into a DevSecOps role is easily achievable with a little cross training and the right narrative. Having built & managed a DevSecOps team, I can share the key elements I look for and how to train them up.
Getting the right technical background
Because the continuous security space blends many disciplines, teams are often a mix of security, programming, and ops skills. If you have a strong understanding in one of these disciplines and exposure to the others, you are in a good place.
DevSecOps often requires building custom tooling to integrate security tools with DevOps tools, and being able to understand and intelligently speak with engineering teams is critical for success.
- Competence in at least one language: I always like to see decent programming ability in at least one language, although many DevSecOps jobs may not expect a lot of programming. I usually recommend that you start with Python if you don't know a language. Many security tools use python already, so it helps in more ways than one!
- Understanding programmer tooling: IDE's, dependency management, source control, and CI/CD. Try to understand how and why these tools are used, and some of the tradeoffs in popular choices. If you do a sample project, try to do it as if you were a full time programmer, and use the tools of the trade.
DevOps tools & processes
Every workplace will have its own selection of tooling. I generally look for the below or equivalents. As a hiring manager, I care less about the specific toolsets and more about what you have done with them to achieve similar results. Personal projects count in my book if you can demonstrate string understanding of the fundamentals.
- AWS: Ideally VPC setup, Cloud Formation templates, and experience managing some of the core AWS services.
- Jenkins: Managing continuous integration and deployment (ideally having setup automated deployment to AWS) along with managing some plugin setup.
- Docker: understand containerization, docker files, container registries and deployment models.
Understanding secure development is important, since DevSecOps focuses on deploying custom applications securely and less about other aspects a security organization focuses on such as incident response.
Since this article is assuming you have a background in security, reading up on these things should be pretty quick if you don't work in this aspect of the security org already.
- Secure development practices: being able to talk intelligently about common vulnerabilities and actual coding fixes, such as cross site scripting, authentication, and SQL Injection.
- Systems hardening: Do you know your way around a command line, and how to go about hardening a system?
- AWS security: and cloud security more generally - NACL setups, bastion hosts, bucket control policies, IAM.
DevSecOps Specific skills
Because this is an emerging space, I have yet to hire a candidate that had specific DevSecOps backgrounds, but that doesn't mean picking up these skills in your current role isn't worthwhile.
The primary role that the DevSecOps engineer plays is ensuring security tool integration with whatever build and deployment tools are being used by development teams. As such, it helps to familiarize yourself with a few of the most common tools you'll be looking at implementing right away.
I maintain a list of DevSecOps tools I use and like that are open source or inexpensive enough that I would recommend purchasing a personal license.
A DevSecOps training plan you can start right now
I am a huge fan of creating learning plans that require as much hands on learning as possible with as little cost as possible. No need for expensive courses or training when just starting out.
If you don't yet have some confidence with programming, take the courses listed above or whatever path you wish to take to learn that skill. Once you have that, I recommend taking the time to go through the following steps.
Each step may take an experienced user anywhere from a few minutes to a couple of hours. If you are brand new to the space, expect to spend significantly more time reading documentation, guides, and playing around before you complete it.
That's ok and expected - you won't become an expert overnight, though this will give you the confidence to speak to the majority of what a DevSecOps engineer does every day.
Step by step DevSecOps learning guide
- Write a very simple webapp with at least three vulnerabilities - XSS, SQLi, and improper auth are usually good ones. I recommend you write this yourself instead of using an off the shelf one like WebGoat or DVWA since you will learn more.
- Containerize your app using Docker so that you can run it locally using docker commands. This means writing a docker file and using the docker commands to run your app. I recommend putting everything in a single container for now to keep it simpler.
- Provision a personal AWS account. It should be free - if you keep compute nodes small they offer free server resources for up to a year.
- Setup a VPC, IAM accounts for your app and a CI/CD service. Setup NACL rules to create a subnet that is only reachable from your machines (don't expose your vulnerable app to the internet!)
- Write a cloud formation template to create infrastructure for your app. Since you are using Docker you can start with FarGate, Elastic Beanstalk, or EC2 for deployment, and ECR for your docker registry.
Depending on the app you wrote, you might also consider a load balancer and RDS instance, though these are probably not necessary. If you created a SQLi, you might be tempted to build an RDS, though you could also just roll postgres into your Docker container.
- Deploy your container to the infra you created! This should be a manual deployment, probably using AWS command line tools or the web console (try it both ways). make sure you setup the network rules right so you can reach the app from your IP but not others (VPN or Tor can help you test with other IP's)
- Use CloudFormation to deploy Jenkins to your VPC (you can find pre-written templates for this, which is fine since you wrote a custom template for your app already - I recommend spending some time looking over their template and understanding what they are doing and why)
- Configure Jenkins to connect to your github project and build on merge to the master branch.
- Configure Jenkins to deploy to your infrastructure on merge to master branch. You should now have a fully working, albeit basic, CI/CD pipeline for your app.
- Integrate security tools into the pipeline: ZAP and SonarQube at a minimum. Look at / consider playing with other tools in the list of DevSecOps tools.
- Try making various commits and merges to your app and seeing how fixing security bugs affects the process. Do the same when introducing new security issues.
- Play around with different configurations and see how they work - stop deployment when scans find medium or higher risk items ("breaking the build"), email scan results to yourself, setup dashboards in Jenkins, etc.
That's it! You'll now have more knowledge in the actual workings of DevSecOps than 95% of applicants to those roles. Using these skills in an actual corporate environment is usually just a matter of researching specific products or features, scaling the scope, or dealing with organizational barriers.
If you are thirsty for more, you can also do some more advanced work: split out your app into multiple containers, roll out RDS, setup a Kubernetes cluster and deploy multiple app containers to it with load balancers in front, setup cross-region disaster recovery, etc.
Just be aware that some / most of these may run you out of the AWS free services and into billing, which can add up quickly. Make sure you thoroughly investigate billing models and watch your billing dashboard as you spin up additional services - and always shut them down when you aren't actively using them.
I always want to hear about success stories in entering the field, or from other hiring managers and executives who are building or looking to build this service. What would you recommend?