DevOps has witnessed a transformation in recent years. In the past, security was implemented in the final stages at the hands of a security officer. Nowadays the trend has shifted to security becoming a core feature of DevOps. This trend has often been called “shifting left,” where security is “shifted left” to the start of the SDLC and is incorporated throughout. This is the birth of what we now call DevSecOps.
The process of merging security throughout the stages of app development is not an easy feat, but once you’re there you begin reaping a multitude of benefits such as faster software delivery lifecycle releases, identifying vulnerabilities early on, and automation of processes. However, there’s more than simply introducing application security within the software delivery process. The adoption of secure DevOps is a shared responsibility, not bound to engineers and security teams.
Since DevSecOps is such a far-reaching concept that requires top-down changes within an organization, this blog will assess the skills required on the macro level. In order to do so, we’ve split it into three. Technology, process, and people. “Technology” discusses some of the skills your engineers will require for transition. “Process” discusses the methods in which your organization processes tasks and daily activities in order to create a fluid environment from development up until release. Finally, the “people” section discusses the organizational culture which is required for a successful DevSecOps transition. Therefore, we provide you with a bunch of skills required from top management to engineers.
This blog will answer the following questions:
Skills
A DevSecOps engineer’s responsibilities aren’t that different from that of a cybersecurity professional, after all, their main aim is enhancing security. With this being said, in their scope, they differ. A cyber security professional works wherever there is IT infrastructure involved, whereas a DevSecOps engineer focuses solely on a product.
In DevSecOps, DevOps and security teams work alongside each other throughout all stages of the software delivery lifecycle (SDLC), with a focus on creating a secure product quickly. Therefore, for a DevSecOps team to work effectively, the technology has to be in place. DevSecOps engineers require a thirst for knowledge. Especially when it comes to staying up to date with the latest in application security and risk assessment techniques. One aspect of this which is vital is automating security procedures, providing the developer with rapid feedback and solutions.
Another key skill required for DevSecOps is static code analysis, or static application security testing (SAST). This doesn’t require a working application and can be done without deploying code. SAST is a useful tool for writing code, as it allows for the early detection of potential flaws. This is key because, without it, a critical flaw could easily find itself getting entangled within the code causing more issues further down the pipeline.
Applications should be checked whilst running, using dynamic application security testing (DAST). This includes manual analyses for more complex vulnerabilities and automated testing which is directly integrated into the CI/CD pipeline for uncovering the low-hanging fruit, saving your employees' time.
DAST is a form of 'black box” testing, where it simulates an attack from the outside, similar to that of a malicious hacker. If the testing ends in an unexpected outcome, it could be a potential attack vector used by a hacker once your application has been deployed. Therefore, DAST helps uncover these vulnerabilities, using the same limited information an external threat would have at their hands.
One of the main benefits of DevSecOps is the increased pace of software delivery, and when incorporating security within normal processes it may at first seem counter-intuitive. One concept which focuses on this is the “Paved Road” concept. The goal is to find the path with the least friction and to bring software from concept to production as quickly and securely as possible. Therefore, when making decisions that could impact these delivery processes, they must be taken into account.
Decisions that hamper the speed of delivery should be minimized. This is an essential skill for top management to learn, passing down the corporate value that delivering secure software quickly for customers is for all employees and not just engineers.
Somewhat related to the previous paragraphs is the issue of threat modeling. Threat modeling is undeniably an asset for development, but because of the time required many companies transitioning to DevSecOps skip it. Threat modeling identifies threats that could harm your software. It consists of performing an in-depth analysis of software architecture, business context, and other artifacts. This takes up a lot of resources, such as time and effort, which DevSecOps practitioners cannot afford.
Applying threat modeling within a DevSecOps approach is very possible, by using practices from agile development where tasks are broken into chunks rather than the project being treated as a monolithic task. Adding features and enhancements through the backlog as user stories. Including a description of the threats added by the user story. Using these aspects of threat modeling within the pipeline can actually speed up the process.
People are at the heart of DevSecOps teams, and their value cannot be overstated. One of the most valuable aspects of this is appointing a security champion. It would be an understatement to say that development and security teams don’t see eye-to-eye on occasions, and often times neither are wrong. Sometimes security procedures can be a pain in the backside for development teams, whilst other times developers can create technologies with disastrous consequences with regard to security.
One of the roles of the security champion is deciding when the security team should be engaged. This is important because sometimes the central security team is not within your project's budget. Providing your champion with diverse leadership roles protects the team leader from myriad issues, shielding them from security problems in the pipeline, and provides support for the project to go ahead at a rapid pace.
Security champions are usually trained from within since each organization often has its own set of challenges. So training helps with picking up specific knowledge and practices. Vital skills include:
Finally, adopting a culture of accepting and learning from failure is necessary. Employees will make mistakes, but it’s part of the game. The best way to learn is through trial-and-error within the DevSecOps way! Match this with positive reinforcement to embrace the moments your team members are excelling and you will have a team of functioning DevSecOps experts in no time.
Now that we’ve discussed the three main areas where embracing DevSecOps skills is important, let’s get a bit more concrete with it. It’s easy to read what to do, but how can we translate this into creating an effective DevSecOps program?
At Everable, we provide top-quality courses tailored for organizations and engineers looking to make the transition to DevSecOps. It includes hands-on labs for engaging our students with the theory they have learned. For example, if you’re looking to master the technology aspect of DevSecOps take our course on integrating SAST tools for detecting vulnerabilities automatically in your CI/CD workflows. For working on running web applications follow our course on running scans on your app using OWASP’s ZAP tool.
If mastering the process and learning the threat modeling methodologies inside out is something you require, take our Basics of Threat Modeling course. Here your engineers will be upskilled in valuable tasks like estimating the cost and time needed to mitigate threats identified by your threat modeling skills.
Or are you looking to train your security champion? Then sign-up for a demo call with one of our sales reps here. You can discuss the intricacies of your organization and we will tailor a program for upskilling your teams on DevSecOps.