What does a DevSecOps engineer do?

DevSecOps is one of the most in-demand fields in the industry of cybersecurity. Most companies that I worked with are thinking or start to implement this process in their daily integration. Therefore, I decided to write this blog post to help those who are looking for recruiting a DevSecOps engineer to better understand what a DevSecOps engineer do and what kind of skills should he have.

A DevSecOps engineer needs to combine multiple IT domains like Network, Application development, and system administration. Therefore, here is a list of what a DevSecOps engineer do in a company:

• Provide support for the DevOps systems
• Implementing automated security tooling
• Helping reduce vulnerabilities within the process
• Contribute to the security planning

Now, if you are interested in knowing more details about each part of the DevSecOps engineer job, then just keep reading…

Provide support for the DevOps systems

Obviously, the first thing that a DevSecOps engineer would do is make sure that the DevOps process is working correctly. Therefore, the main job of a DevSecOps engineer is to support the DevOps system, which means implementation, troubleshooting, and maintenance of different parts of the DevOps process.

Basically what you are going to do is this:

• Provide support for implementation, troubleshooting, and maintenance of Operation systems
• Isolate and resolve problems related to the applications, operating system, hardware, communications.
• Provide systems and account administration consistently
• Installs or loads the operating system and application software
• Troubleshoot, maintain the integrity and configure network components along with implementing operating systems enhancements to improve reliability and performance
• working on ways to automate and improve development and release processes

Of course, this may sound like the job of a DevOps engineer, and you are right. Unfortunately, most companies that look for a DevSecOps engineer do not do this differentiation and prefer to recruit someone that can deal with both aspects (DevOps infrastructure and Automatic security).

This does not mean that all companies do the same thing and want someone with both skills, but it will take time so that this field becomes more mature and start differentiating between these two profiles.

Implementing automated security tooling

Knowing about the DevOps process is for me an important aspect in the career of a DevSecOps engineer I mean you don’t understand that process you won’t be able to do the next most important work.

The main job of a DevSecOps engineer is to deal with the security aspect of this field. Therefore, what he would do is actually, automating the process of securing the application developed by the Dev team.

When we talk about automating the security it means, putting in place the necessary tools and software that will scan automatically every application before integrating it. In addition, automating the scan of the application is performed at multiple levels of the DevOps process, from library verification to code scanning until the final app dynamic scan.

Therefore, a very large number of technologies and techniques should be mastered to adapt them to the context of the company and to get better results. The DevSecOps engineer then should have very good experience in cybersecurity, especially in secure coding to better understand multiple configuration aspects and to better choose the needed tools.

In some cases, the DevSecOps engineer will be brought to perform some static work at multiple levels of the process, as many security problems still cannot be fully automated. For example, and I usually take this example because it is the most and easier one to better understand this situation, the Business logic vulnerabilities. Well, this kind of vulnerability cannot be found at the level of the static analysis by a tool, and are very hard to find statically also by a cybersecurity expert.

In addition, most of the business logic vulnerabilities cannot be found automatically at even the level of dynamic analysis. Therefore, finding this kind of vulnerability will need the intervention of the DevSecOps engineer to perform a manual penetration test against the app before the final integration.

Helping reduce vulnerabilities within the process

As you know the DevOps or the DevSecOps process consists of a set of tools, software, operating systems, and more. Those tools and systems would get vulnerable over time and might become a source of risk to the company development process, and may create what we call supply chain vulnerabilities.

Therefore, a vulnerability check needs to be performed periodically for every piece of the DevOps process. I mean a periodic penetration test need to be performed against the whole network. In addition, the network configuration needs to be verified to find vulnerabilities on it every possible time. Even the static and dynamic application vulnerability detection tools need to be checked every time.

Basically, everything that may have a security impact on the DevOps environment needs to be checked against vulnerabilities.

Contribute to the security planning

Contribute to security planning, simply means participating in making the information security roadmap of the company. The security plan is simply a set of information security policies and regulations put in place to secure the most valuable assets of the company. The DevOps process is also a valuable asset for the company and it needs to be well secured.

Therefore, a DevSecOps engineer needs to be part of the security planning team to give his advice about what could be done to make the security of the DevOps environment even better. In addition, some policies may impact the proper functioning of the development process. Then a DevSecOps need to be present to clarify this impact to the security manager and help to find better solutions.

Participating in security planning also means, being part of any team responsible for putting in place any security certification or any security awareness programs for employees.