CVE is a very popular word in the cyber security industry. If you take any penetration test or any vulnerability assessment report, you will find a bunch of CVEs for ...
DevSecOps is one of the most in-demand fields in the industry of cybersecurity. Most companies that I worked with are thinking or start to implement this process in their daily integration. Therefore, I decided to write this blog post to help those who are looking for recruiting a DevSecOps engineer to better understand what a DevSecOps engineer do and what kind of skills should he have.
A DevSecOps engineer needs to combine multiple IT domains like Network, Application development, and system administration. Therefore, here is a list of what a DevSecOps engineer do in a company:
Now, if you are interested in knowing more details about each part of the DevSecOps engineer job, then just keep reading…
Obviously, the first thing that a DevSecOps engineer would do is make sure that the DevOps process is working correctly. Therefore, the main job of a DevSecOps engineer is to support the DevOps system, which means implementation, troubleshooting, and maintenance of different parts of the DevOps process.
Basically what you are going to do is this:
Of course, this may sound like the job of a DevOps engineer, and you are right. Unfortunately, most companies that look for a DevSecOps engineer do not do this differentiation and prefer to recruit someone that can deal with both aspects (DevOps infrastructure and Automatic security).
This does not mean that all companies do the same thing and want someone with both skills, but it will take time so that this field becomes more mature and start differentiating between these two profiles.
Knowing about the DevOps process is for me an important aspect in the career of a DevSecOps engineer I mean you don’t understand that process you won’t be able to do the next most important work.
The main job of a DevSecOps engineer is to deal with the security aspect of this field. Therefore, what he would do is actually, automating the process of securing the application developed by the Dev team.
When we talk about automating the security it means, putting in place the necessary tools and software that will scan automatically every application before integrating it. In addition, automating the scan of the application is performed at multiple levels of the DevOps process, from library verification to code scanning until the final app dynamic scan.
Therefore, a very large number of technologies and techniques should be mastered to adapt them to the context of the company and to get better results. The DevSecOps engineer then should have very good experience in cybersecurity, especially in secure coding to better understand multiple configuration aspects and to better choose the needed tools.
In some cases, the DevSecOps engineer will be brought to perform some static work at multiple levels of the process, as many security problems still cannot be fully automated. For example, and I usually take this example because it is the most and easier one to better understand this situation, the Business logic vulnerabilities. Well, this kind of vulnerability cannot be found at the level of the static analysis by a tool, and are very hard to find statically also by a cybersecurity expert.
In addition, most of the business logic vulnerabilities cannot be found automatically at even the level of dynamic analysis. Therefore, finding this kind of vulnerability will need the intervention of the DevSecOps engineer to perform a manual penetration test against the app before the final integration.
As you know the DevOps or the DevSecOps process consists of a set of tools, software, operating systems, and more. Those tools and systems would get vulnerable over time and might become a source of risk to the company development process, and may create what we call supply chain vulnerabilities.
Therefore, a vulnerability check needs to be performed periodically for every piece of the DevOps process. I mean a periodic penetration test need to be performed against the whole network. In addition, the network configuration needs to be verified to find vulnerabilities on it every possible time. Even the static and dynamic application vulnerability detection tools need to be checked every time.
Basically, everything that may have a security impact on the DevOps environment needs to be checked against vulnerabilities.
Contribute to security planning, simply means participating in making the information security roadmap of the company. The security plan is simply a set of information security policies and regulations put in place to secure the most valuable assets of the company. The DevOps process is also a valuable asset for the company and it needs to be well secured.
Therefore, a DevSecOps engineer needs to be part of the security planning team to give his advice about what could be done to make the security of the DevOps environment even better. In addition, some policies may impact the proper functioning of the development process. Then a DevSecOps need to be present to clarify this impact to the security manager and help to find better solutions.
Participating in security planning also means, being part of any team responsible for putting in place any security certification or any security awareness programs for employees.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
todayNovember 1, 2022
Blockchain technology was indeed built with security in mind. This means that it is supposed to be very secure compared to other technologies. However, Blockchain technology suffers from some weaknesses [...]