Blog

How to Become a Kick-Ass DevSecOps Engineer

Matias Madou, Ph.D.
Published Feb 28, 2020

Much like technology itself, the tools, techniques and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality... and we want it faster than ever before, more qualitative, and on top of that: secure. Just a few years ago, Agile development was the next big thing being used to break up big chunks of work into smaller pieces, and being able to quickly adapt to rapid feedback cycles coming from the customer. Before that, the Waterfall method was king of the hill.

While many people and organizations are moving on from Waterfall to Agile -- and not everybody is there yet, let's be real -- they are already encountering a new problem: Development teams and their operations counterparts are still working in silos. In this environment, how can small teams working in an Agile way deliver on that promise of faster deployment, and faster delivery?

DevOps, a moniker that is a combination of development and operations, was created to merge the functions of both developers and operational teams when creating new software. Essentially, this was to help developers take ownership of putting things into production, instead of throwing it over the fence to the operations team and making it their responsibility.

They can certainly ship faster -- even a couple of times per day -- which seems to play in the alley of Agile. However, DevOps still creates one big, mixed team of engineers and operations personnel, which may not be as Agile-aligned in reality. Ultimately, it's best to think of DevOps as an evolution of Agile, as the methodologies are similar in many ways, and complementary in their difference. DevOps promotes an automated, continuous integration and deployment pipeline, which is essential to enable frequent releases, but not as sufficient at the team level - and this is where Agile steps in. Agile allows teams, especially small teams, to keep pace with these rapid releases and changing requirements, while staying on-task and collaborative. It certainly seems ideal -- and the process can keep teams on track with the end goal -- but it is not without its own issues.

Software created using DevOps best practice still has the potential to stumble at the first boss fight: the security team. When the code is examined by traditional/Waterfall AppSec specialists, either with tooling or complex manual review, they often find unacceptable risks and vulnerabilities which must then be fixed after the fact. The process of retrofitting security fixes into completed apps is neither quick nor easy... and it's far more expensive for the organization.

So, then, if the world is moving on past Waterfall, Agile, and now DevOps, what is the solution? And as a developer, what is your role in keeping pace with these changes in approach?

Development techniques are in a constant state of evolution, but thankfully, this one isn't such a huge change. Organizations just need to put the "Sec" in "DevOps"... and so, DevSecOps was born. A primary goal of DevSecOps is to break down barriers and open collaboration between development, operations and, last but not least, security teams. DevSecOps has become both a software engineering tactic and a culture that advocates security automation and monitoring throughout the software development lifecycle.

This might seem like yet another organization-level process, perhaps one with "too many cooks" when it comes to a developer with a long list of features to build. However, the DevSecOps methodology opens up an opportunity for security-aware developers to really shine.

The bright future of DevSecOps

So, why would a coder want to become a DevSecOps engineer? Perhaps you have some experience with DevOps (or even Agile) but want to take the next step to become proficient in DevSecOps. First off, it's good to know that it's a very smart move, and not just in the quest to make the world safe from costly cyberattacks. Experts say that the demand for talented cybersecurity personnel is skyrocketing with no end in sight. Those who master DevSecOps can expect a long and profitable career.

Job security for DevSecOps engineers is even more assured, because unlike traditional cybersecurity tactics like vulnerability scanning with an array of software-based tools, DevSecOps requires people who know how to implement security as they code. As Booz, Allen and Hamilton's analysts noted in their blog entitled 5 Myths of Adopting DevSecOps, organizations want and even need DevSecOps, but simply can't buy it. DevSecOps is a methodology that lets cross-functional teams integrate technologies and collaborate during the whole software development lifecycle, and that requires skilled people, change management and an ongoing commitment from multiple stakeholders.

According to Booz, Allen and Hamilton, companies can purchase apps and tools to help with certain aspects of DevSecOps, like release management software, "but it's really your delivery teams that make it happen." They are the ones driving the continual improvement offered by DevSecOps and its cultural and paradigm shift.

Organizations cannot  "buy" a viable DevSecOps program; it must be built and maintained, using a range of tools, in-house knowledge and guidance that uplifts the security culture, while also making business sense. It's not easy, but it's far from impossible.

How you can kick ass in the DevSecOps movement

One of the first steps on the path to becoming a DevSecOps engineer is realizing that it's as much a culture as it is a set of techniques. It requires the will to implement security as part of every bit of code that you create, and the desire to proactively protect your organization by actively looking for security flaws and vulnerabilities as you code, fixing them long before they make it into production. Most DevSecOps engineers take their profession and skillset very seriously. The DevSecOps professional organization even has a manifesto stating their beliefs.

The manifesto is kind of heavy-handed, as manifestos are rarely light reading. But at the core are a few truths that all great DevSecOps engineers should learn to embrace, like:

  • Realize that the application security team is your ally. At most organizations, the AppSec specialists are at odds with developers, since they are always sending completed code back for more work. AppSec teams don't often have much love for developers either, since they can delay completed code from getting into production through introducing common security bugs. However, a smart DevSecOps engineer will realize that the goals of the security teams are ultimately the same as the developers and coders. You don't have to be best friends, but forming a calm and collaborative work relationship is vital to success.
  • Practice and refine your secure coding techniques. If you can find ways that apps are vulnerable while they are still being built, then closing those loopholes can stop future hackers in their tracks. Of course, this requires both an understanding of vulnerabilities and the tools to help fix them. The Secure Code Warrior blog pages can give insight into the most common and dangerous vulnerabilities you will encounter, as well as practical advice and challenges to test your knowledge. The most important aspect is keeping security front-of-mind, and making time for bite-sized training that helps you build on existing knowledge. It's common for a developer's interactions with security to be fairly unremarkable - even negative - but upskilling in security is a great career move, and it doesn't have to be a chore.
  • Remember: DevSecOps superstars contribute to a positive security culture at their organization. Instead of focusing on the goals of the past, like delivering apps quickly regardless of their inherent problems, it's important to make finding and fixing vulnerabilities in developing code a top priority. Security must be seen as everyone's job, and everyone should share in the adulation and rewards that come from deploying effective and highly secure applications each and every time.

You can assist in cultivating an incredible security culture at your organization by championing secure coding and security best practice from the ground up, recommending training solutions and ensuring no coder is left behind in the all-hands-on-deck, fast-paced world of DevSecOps. The only good code is secure code, and skilled, security-aware developers are vital pieces of the puzzle. The personal and professional rewards are certainly worth the effort, and with billons of personal data records compromised every year (and growing), we need you. Take your spot on the front lines and help defend against the bad guys in our digital world.

Matias Madou, Ph.D. is the CTO and co-founder of Secure Code Warrior. He is a security expert, long-time developer, and Fortnite junkie.

View Resource
View Resource

The world is starting to move on past Waterfall, Agile, and now DevOps, so what is the next solution? And as a developer, what is your role in keeping pace with these changes in approach?

Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Matias Madou, Ph.D.
Published Feb 28, 2020

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Much like technology itself, the tools, techniques and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality... and we want it faster than ever before, more qualitative, and on top of that: secure. Just a few years ago, Agile development was the next big thing being used to break up big chunks of work into smaller pieces, and being able to quickly adapt to rapid feedback cycles coming from the customer. Before that, the Waterfall method was king of the hill.

While many people and organizations are moving on from Waterfall to Agile -- and not everybody is there yet, let's be real -- they are already encountering a new problem: Development teams and their operations counterparts are still working in silos. In this environment, how can small teams working in an Agile way deliver on that promise of faster deployment, and faster delivery?

DevOps, a moniker that is a combination of development and operations, was created to merge the functions of both developers and operational teams when creating new software. Essentially, this was to help developers take ownership of putting things into production, instead of throwing it over the fence to the operations team and making it their responsibility.

They can certainly ship faster -- even a couple of times per day -- which seems to play in the alley of Agile. However, DevOps still creates one big, mixed team of engineers and operations personnel, which may not be as Agile-aligned in reality. Ultimately, it's best to think of DevOps as an evolution of Agile, as the methodologies are similar in many ways, and complementary in their difference. DevOps promotes an automated, continuous integration and deployment pipeline, which is essential to enable frequent releases, but not as sufficient at the team level - and this is where Agile steps in. Agile allows teams, especially small teams, to keep pace with these rapid releases and changing requirements, while staying on-task and collaborative. It certainly seems ideal -- and the process can keep teams on track with the end goal -- but it is not without its own issues.

Software created using DevOps best practice still has the potential to stumble at the first boss fight: the security team. When the code is examined by traditional/Waterfall AppSec specialists, either with tooling or complex manual review, they often find unacceptable risks and vulnerabilities which must then be fixed after the fact. The process of retrofitting security fixes into completed apps is neither quick nor easy... and it's far more expensive for the organization.

So, then, if the world is moving on past Waterfall, Agile, and now DevOps, what is the solution? And as a developer, what is your role in keeping pace with these changes in approach?

Development techniques are in a constant state of evolution, but thankfully, this one isn't such a huge change. Organizations just need to put the "Sec" in "DevOps"... and so, DevSecOps was born. A primary goal of DevSecOps is to break down barriers and open collaboration between development, operations and, last but not least, security teams. DevSecOps has become both a software engineering tactic and a culture that advocates security automation and monitoring throughout the software development lifecycle.

This might seem like yet another organization-level process, perhaps one with "too many cooks" when it comes to a developer with a long list of features to build. However, the DevSecOps methodology opens up an opportunity for security-aware developers to really shine.

The bright future of DevSecOps

So, why would a coder want to become a DevSecOps engineer? Perhaps you have some experience with DevOps (or even Agile) but want to take the next step to become proficient in DevSecOps. First off, it's good to know that it's a very smart move, and not just in the quest to make the world safe from costly cyberattacks. Experts say that the demand for talented cybersecurity personnel is skyrocketing with no end in sight. Those who master DevSecOps can expect a long and profitable career.

Job security for DevSecOps engineers is even more assured, because unlike traditional cybersecurity tactics like vulnerability scanning with an array of software-based tools, DevSecOps requires people who know how to implement security as they code. As Booz, Allen and Hamilton's analysts noted in their blog entitled 5 Myths of Adopting DevSecOps, organizations want and even need DevSecOps, but simply can't buy it. DevSecOps is a methodology that lets cross-functional teams integrate technologies and collaborate during the whole software development lifecycle, and that requires skilled people, change management and an ongoing commitment from multiple stakeholders.

According to Booz, Allen and Hamilton, companies can purchase apps and tools to help with certain aspects of DevSecOps, like release management software, "but it's really your delivery teams that make it happen." They are the ones driving the continual improvement offered by DevSecOps and its cultural and paradigm shift.

Organizations cannot  "buy" a viable DevSecOps program; it must be built and maintained, using a range of tools, in-house knowledge and guidance that uplifts the security culture, while also making business sense. It's not easy, but it's far from impossible.

How you can kick ass in the DevSecOps movement

One of the first steps on the path to becoming a DevSecOps engineer is realizing that it's as much a culture as it is a set of techniques. It requires the will to implement security as part of every bit of code that you create, and the desire to proactively protect your organization by actively looking for security flaws and vulnerabilities as you code, fixing them long before they make it into production. Most DevSecOps engineers take their profession and skillset very seriously. The DevSecOps professional organization even has a manifesto stating their beliefs.

The manifesto is kind of heavy-handed, as manifestos are rarely light reading. But at the core are a few truths that all great DevSecOps engineers should learn to embrace, like:

  • Realize that the application security team is your ally. At most organizations, the AppSec specialists are at odds with developers, since they are always sending completed code back for more work. AppSec teams don't often have much love for developers either, since they can delay completed code from getting into production through introducing common security bugs. However, a smart DevSecOps engineer will realize that the goals of the security teams are ultimately the same as the developers and coders. You don't have to be best friends, but forming a calm and collaborative work relationship is vital to success.
  • Practice and refine your secure coding techniques. If you can find ways that apps are vulnerable while they are still being built, then closing those loopholes can stop future hackers in their tracks. Of course, this requires both an understanding of vulnerabilities and the tools to help fix them. The Secure Code Warrior blog pages can give insight into the most common and dangerous vulnerabilities you will encounter, as well as practical advice and challenges to test your knowledge. The most important aspect is keeping security front-of-mind, and making time for bite-sized training that helps you build on existing knowledge. It's common for a developer's interactions with security to be fairly unremarkable - even negative - but upskilling in security is a great career move, and it doesn't have to be a chore.
  • Remember: DevSecOps superstars contribute to a positive security culture at their organization. Instead of focusing on the goals of the past, like delivering apps quickly regardless of their inherent problems, it's important to make finding and fixing vulnerabilities in developing code a top priority. Security must be seen as everyone's job, and everyone should share in the adulation and rewards that come from deploying effective and highly secure applications each and every time.

You can assist in cultivating an incredible security culture at your organization by championing secure coding and security best practice from the ground up, recommending training solutions and ensuring no coder is left behind in the all-hands-on-deck, fast-paced world of DevSecOps. The only good code is secure code, and skilled, security-aware developers are vital pieces of the puzzle. The personal and professional rewards are certainly worth the effort, and with billons of personal data records compromised every year (and growing), we need you. Take your spot on the front lines and help defend against the bad guys in our digital world.

Matias Madou, Ph.D. is the CTO and co-founder of Secure Code Warrior. He is a security expert, long-time developer, and Fortnite junkie.

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Much like technology itself, the tools, techniques and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality... and we want it faster than ever before, more qualitative, and on top of that: secure. Just a few years ago, Agile development was the next big thing being used to break up big chunks of work into smaller pieces, and being able to quickly adapt to rapid feedback cycles coming from the customer. Before that, the Waterfall method was king of the hill.

While many people and organizations are moving on from Waterfall to Agile -- and not everybody is there yet, let's be real -- they are already encountering a new problem: Development teams and their operations counterparts are still working in silos. In this environment, how can small teams working in an Agile way deliver on that promise of faster deployment, and faster delivery?

DevOps, a moniker that is a combination of development and operations, was created to merge the functions of both developers and operational teams when creating new software. Essentially, this was to help developers take ownership of putting things into production, instead of throwing it over the fence to the operations team and making it their responsibility.

They can certainly ship faster -- even a couple of times per day -- which seems to play in the alley of Agile. However, DevOps still creates one big, mixed team of engineers and operations personnel, which may not be as Agile-aligned in reality. Ultimately, it's best to think of DevOps as an evolution of Agile, as the methodologies are similar in many ways, and complementary in their difference. DevOps promotes an automated, continuous integration and deployment pipeline, which is essential to enable frequent releases, but not as sufficient at the team level - and this is where Agile steps in. Agile allows teams, especially small teams, to keep pace with these rapid releases and changing requirements, while staying on-task and collaborative. It certainly seems ideal -- and the process can keep teams on track with the end goal -- but it is not without its own issues.

Software created using DevOps best practice still has the potential to stumble at the first boss fight: the security team. When the code is examined by traditional/Waterfall AppSec specialists, either with tooling or complex manual review, they often find unacceptable risks and vulnerabilities which must then be fixed after the fact. The process of retrofitting security fixes into completed apps is neither quick nor easy... and it's far more expensive for the organization.

So, then, if the world is moving on past Waterfall, Agile, and now DevOps, what is the solution? And as a developer, what is your role in keeping pace with these changes in approach?

Development techniques are in a constant state of evolution, but thankfully, this one isn't such a huge change. Organizations just need to put the "Sec" in "DevOps"... and so, DevSecOps was born. A primary goal of DevSecOps is to break down barriers and open collaboration between development, operations and, last but not least, security teams. DevSecOps has become both a software engineering tactic and a culture that advocates security automation and monitoring throughout the software development lifecycle.

This might seem like yet another organization-level process, perhaps one with "too many cooks" when it comes to a developer with a long list of features to build. However, the DevSecOps methodology opens up an opportunity for security-aware developers to really shine.

The bright future of DevSecOps

So, why would a coder want to become a DevSecOps engineer? Perhaps you have some experience with DevOps (or even Agile) but want to take the next step to become proficient in DevSecOps. First off, it's good to know that it's a very smart move, and not just in the quest to make the world safe from costly cyberattacks. Experts say that the demand for talented cybersecurity personnel is skyrocketing with no end in sight. Those who master DevSecOps can expect a long and profitable career.

Job security for DevSecOps engineers is even more assured, because unlike traditional cybersecurity tactics like vulnerability scanning with an array of software-based tools, DevSecOps requires people who know how to implement security as they code. As Booz, Allen and Hamilton's analysts noted in their blog entitled 5 Myths of Adopting DevSecOps, organizations want and even need DevSecOps, but simply can't buy it. DevSecOps is a methodology that lets cross-functional teams integrate technologies and collaborate during the whole software development lifecycle, and that requires skilled people, change management and an ongoing commitment from multiple stakeholders.

According to Booz, Allen and Hamilton, companies can purchase apps and tools to help with certain aspects of DevSecOps, like release management software, "but it's really your delivery teams that make it happen." They are the ones driving the continual improvement offered by DevSecOps and its cultural and paradigm shift.

Organizations cannot  "buy" a viable DevSecOps program; it must be built and maintained, using a range of tools, in-house knowledge and guidance that uplifts the security culture, while also making business sense. It's not easy, but it's far from impossible.

How you can kick ass in the DevSecOps movement

One of the first steps on the path to becoming a DevSecOps engineer is realizing that it's as much a culture as it is a set of techniques. It requires the will to implement security as part of every bit of code that you create, and the desire to proactively protect your organization by actively looking for security flaws and vulnerabilities as you code, fixing them long before they make it into production. Most DevSecOps engineers take their profession and skillset very seriously. The DevSecOps professional organization even has a manifesto stating their beliefs.

The manifesto is kind of heavy-handed, as manifestos are rarely light reading. But at the core are a few truths that all great DevSecOps engineers should learn to embrace, like:

  • Realize that the application security team is your ally. At most organizations, the AppSec specialists are at odds with developers, since they are always sending completed code back for more work. AppSec teams don't often have much love for developers either, since they can delay completed code from getting into production through introducing common security bugs. However, a smart DevSecOps engineer will realize that the goals of the security teams are ultimately the same as the developers and coders. You don't have to be best friends, but forming a calm and collaborative work relationship is vital to success.
  • Practice and refine your secure coding techniques. If you can find ways that apps are vulnerable while they are still being built, then closing those loopholes can stop future hackers in their tracks. Of course, this requires both an understanding of vulnerabilities and the tools to help fix them. The Secure Code Warrior blog pages can give insight into the most common and dangerous vulnerabilities you will encounter, as well as practical advice and challenges to test your knowledge. The most important aspect is keeping security front-of-mind, and making time for bite-sized training that helps you build on existing knowledge. It's common for a developer's interactions with security to be fairly unremarkable - even negative - but upskilling in security is a great career move, and it doesn't have to be a chore.
  • Remember: DevSecOps superstars contribute to a positive security culture at their organization. Instead of focusing on the goals of the past, like delivering apps quickly regardless of their inherent problems, it's important to make finding and fixing vulnerabilities in developing code a top priority. Security must be seen as everyone's job, and everyone should share in the adulation and rewards that come from deploying effective and highly secure applications each and every time.

You can assist in cultivating an incredible security culture at your organization by championing secure coding and security best practice from the ground up, recommending training solutions and ensuring no coder is left behind in the all-hands-on-deck, fast-paced world of DevSecOps. The only good code is secure code, and skilled, security-aware developers are vital pieces of the puzzle. The personal and professional rewards are certainly worth the effort, and with billons of personal data records compromised every year (and growing), we need you. Take your spot on the front lines and help defend against the bad guys in our digital world.

Matias Madou, Ph.D. is the CTO and co-founder of Secure Code Warrior. He is a security expert, long-time developer, and Fortnite junkie.

Access resource

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Download PDF
View Resource
Share on:
Interested in more?

Share on:
Author
Matias Madou, Ph.D.
Published Feb 28, 2020

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Much like technology itself, the tools, techniques and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality... and we want it faster than ever before, more qualitative, and on top of that: secure. Just a few years ago, Agile development was the next big thing being used to break up big chunks of work into smaller pieces, and being able to quickly adapt to rapid feedback cycles coming from the customer. Before that, the Waterfall method was king of the hill.

While many people and organizations are moving on from Waterfall to Agile -- and not everybody is there yet, let's be real -- they are already encountering a new problem: Development teams and their operations counterparts are still working in silos. In this environment, how can small teams working in an Agile way deliver on that promise of faster deployment, and faster delivery?

DevOps, a moniker that is a combination of development and operations, was created to merge the functions of both developers and operational teams when creating new software. Essentially, this was to help developers take ownership of putting things into production, instead of throwing it over the fence to the operations team and making it their responsibility.

They can certainly ship faster -- even a couple of times per day -- which seems to play in the alley of Agile. However, DevOps still creates one big, mixed team of engineers and operations personnel, which may not be as Agile-aligned in reality. Ultimately, it's best to think of DevOps as an evolution of Agile, as the methodologies are similar in many ways, and complementary in their difference. DevOps promotes an automated, continuous integration and deployment pipeline, which is essential to enable frequent releases, but not as sufficient at the team level - and this is where Agile steps in. Agile allows teams, especially small teams, to keep pace with these rapid releases and changing requirements, while staying on-task and collaborative. It certainly seems ideal -- and the process can keep teams on track with the end goal -- but it is not without its own issues.

Software created using DevOps best practice still has the potential to stumble at the first boss fight: the security team. When the code is examined by traditional/Waterfall AppSec specialists, either with tooling or complex manual review, they often find unacceptable risks and vulnerabilities which must then be fixed after the fact. The process of retrofitting security fixes into completed apps is neither quick nor easy... and it's far more expensive for the organization.

So, then, if the world is moving on past Waterfall, Agile, and now DevOps, what is the solution? And as a developer, what is your role in keeping pace with these changes in approach?

Development techniques are in a constant state of evolution, but thankfully, this one isn't such a huge change. Organizations just need to put the "Sec" in "DevOps"... and so, DevSecOps was born. A primary goal of DevSecOps is to break down barriers and open collaboration between development, operations and, last but not least, security teams. DevSecOps has become both a software engineering tactic and a culture that advocates security automation and monitoring throughout the software development lifecycle.

This might seem like yet another organization-level process, perhaps one with "too many cooks" when it comes to a developer with a long list of features to build. However, the DevSecOps methodology opens up an opportunity for security-aware developers to really shine.

The bright future of DevSecOps

So, why would a coder want to become a DevSecOps engineer? Perhaps you have some experience with DevOps (or even Agile) but want to take the next step to become proficient in DevSecOps. First off, it's good to know that it's a very smart move, and not just in the quest to make the world safe from costly cyberattacks. Experts say that the demand for talented cybersecurity personnel is skyrocketing with no end in sight. Those who master DevSecOps can expect a long and profitable career.

Job security for DevSecOps engineers is even more assured, because unlike traditional cybersecurity tactics like vulnerability scanning with an array of software-based tools, DevSecOps requires people who know how to implement security as they code. As Booz, Allen and Hamilton's analysts noted in their blog entitled 5 Myths of Adopting DevSecOps, organizations want and even need DevSecOps, but simply can't buy it. DevSecOps is a methodology that lets cross-functional teams integrate technologies and collaborate during the whole software development lifecycle, and that requires skilled people, change management and an ongoing commitment from multiple stakeholders.

According to Booz, Allen and Hamilton, companies can purchase apps and tools to help with certain aspects of DevSecOps, like release management software, "but it's really your delivery teams that make it happen." They are the ones driving the continual improvement offered by DevSecOps and its cultural and paradigm shift.

Organizations cannot  "buy" a viable DevSecOps program; it must be built and maintained, using a range of tools, in-house knowledge and guidance that uplifts the security culture, while also making business sense. It's not easy, but it's far from impossible.

How you can kick ass in the DevSecOps movement

One of the first steps on the path to becoming a DevSecOps engineer is realizing that it's as much a culture as it is a set of techniques. It requires the will to implement security as part of every bit of code that you create, and the desire to proactively protect your organization by actively looking for security flaws and vulnerabilities as you code, fixing them long before they make it into production. Most DevSecOps engineers take their profession and skillset very seriously. The DevSecOps professional organization even has a manifesto stating their beliefs.

The manifesto is kind of heavy-handed, as manifestos are rarely light reading. But at the core are a few truths that all great DevSecOps engineers should learn to embrace, like:

  • Realize that the application security team is your ally. At most organizations, the AppSec specialists are at odds with developers, since they are always sending completed code back for more work. AppSec teams don't often have much love for developers either, since they can delay completed code from getting into production through introducing common security bugs. However, a smart DevSecOps engineer will realize that the goals of the security teams are ultimately the same as the developers and coders. You don't have to be best friends, but forming a calm and collaborative work relationship is vital to success.
  • Practice and refine your secure coding techniques. If you can find ways that apps are vulnerable while they are still being built, then closing those loopholes can stop future hackers in their tracks. Of course, this requires both an understanding of vulnerabilities and the tools to help fix them. The Secure Code Warrior blog pages can give insight into the most common and dangerous vulnerabilities you will encounter, as well as practical advice and challenges to test your knowledge. The most important aspect is keeping security front-of-mind, and making time for bite-sized training that helps you build on existing knowledge. It's common for a developer's interactions with security to be fairly unremarkable - even negative - but upskilling in security is a great career move, and it doesn't have to be a chore.
  • Remember: DevSecOps superstars contribute to a positive security culture at their organization. Instead of focusing on the goals of the past, like delivering apps quickly regardless of their inherent problems, it's important to make finding and fixing vulnerabilities in developing code a top priority. Security must be seen as everyone's job, and everyone should share in the adulation and rewards that come from deploying effective and highly secure applications each and every time.

You can assist in cultivating an incredible security culture at your organization by championing secure coding and security best practice from the ground up, recommending training solutions and ensuring no coder is left behind in the all-hands-on-deck, fast-paced world of DevSecOps. The only good code is secure code, and skilled, security-aware developers are vital pieces of the puzzle. The personal and professional rewards are certainly worth the effort, and with billons of personal data records compromised every year (and growing), we need you. Take your spot on the front lines and help defend against the bad guys in our digital world.

Matias Madou, Ph.D. is the CTO and co-founder of Secure Code Warrior. He is a security expert, long-time developer, and Fortnite junkie.

Table of contents

Download PDF
View Resource
Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts