With more and more organizations relying on cloud-based tools to fuel their digital transformation projects and drive future growth, quickly developing and deploying applications has never been more important. At the same time, securing code against vulnerabilities and potential attacks can slow that process. This push and pull between speed and security has led large organizations to increasingly focus on development, security and operations, or DevSecOps for short.
The DevSecOps discipline focuses on the “integration of security into emerging Agile IT and DevOps development as seamlessly and as transparently as possible,” according to a definition published by research firm Gartner.
The need for organizations to invest in better ways to secure code is driving this fast-growing part of the tech sector. One study found the DevSecOps market hit $2.55 billion in 2020, and it’s expected to grow at a compound annual growth rate (CAGR) of 32.2 percent over the next several years.
In turn, the need for secure code is fueling a market for DevSecOps engineers. For those technologists with the right set of skills who can bridge the gap between cybersecurity and coding, a DevSecOps engineering career offers a solid paycheck; Glassdoor currently estimates the average base salary in the U.S. is $102,428.
For those thinking about a DevSecOps engineering career, flexibility and a willingness to learn are a must, experts noted.
“The main characteristic I have seen with great DevSecOps engineers is that they’re really good at getting kind of good at new things. DevOps engineers in general and DevSecOps engineers specifically have to work across several different disciplines, on technologies spread across many different cloud providers so there always seems to be something new to learn,” said Dan Cornell, vice president at Coalfire, a Colorado-based provider of cybersecurity advisory services.
“For individuals who like to stay in their comfort zone, being a DevSecOps engineer is going to be a pretty consistently uncomfortable position and I don’t see that slowing down any time soon,” Cornell added.
DevSecOps Engineers: What Skills Are Needed?
While DevSecOps is a growing area of interest, many organizations are still defining what a DevSecOps engineer is. This means businesses might advertise for different skill sets even though the job remains fundamentally the same, said Sammy Migues, principal scientist at Synopsys Software Integrity Group.
“That means when an organization is advertising for a DevSecOps engineer, they’re likely advertising for a specific set of skills that are useful to them at that time,” Migues told Dice. “The applicant should assume that the job description will change as the organization matures in DevOps and DevSecOps—through culture and automation changes—and continuous learners will have an advantage in growing with the role.”
As might be expected, DevSecOps engineers need to know how to test apps for security flaws. Migues and Cornell added that knowledge of tools such as static application security testing (SAST), software composition analysis (SCA) and dynamic application security testing (DAST) is a must.
Cornell looks for candidates with a background in penetration testing and possibly some knowledge of threat modeling.
“A challenge for these candidates is to understand how these disciplines translate into a DevSecOps environment and—more specifically—CI/CD pipelines,” Cornell told Dice. “Whereas AppSec engineers may be looking at doing full assessments of a given application at a point in time, DevSecOps engineers working with testing in pipelines are looking more toward setting up automation to quickly find high-quality and relevant security insights for a given build of the software.”
There’s also a need for analytics capabilities to determine why code is (or isn’t) working and what vulnerabilities could have crept in during the development process. “Determining why certain processes or technologies aren’t achieving the desired results—from slower testing processes to super-fast incident response processes—will require everything from conversations to log analysis to number crunching, and a DevSecOps engineer needs to be able to think critically about it,” Migues said.
DevSecOps Engineer: Mastering the Interview
Several experts noted that, when it comes to hiring DevSecOps engineers, the interview process is key, and it’s important for candidates to show a mastery of hard coding and security skills as well as “soft skills” such as communication.
For many candidates, the challenge is demonstrating mastery of development and delivery languages and platforms, as well as the ability to work with various departments to identify and solve problems, said John Steven, CTO at security firm ThreatModeler.
“As a hiring manager, I’ve looked for DevSecOps engineers able to ‘meet engineers on their side of the river,’” Steven told Dice. “Having cult-like technology and platform preferences or knowing what ‘ideal’ looks like may be fine in a vacuum—but you’re almost always joining a company with a good amount of process and technology in place. Most important is an ability to assess the status and evolve from that reality, bringing engineers and operations along with the change.”
On the “hard skills” side, Steven added that he looks for candidates with knowledge of infrastructure-as-code, container orchestration and zero trust.
For his part, Migues noted that good candidates need to show a certain amount of empathy and the ability to build bridges, since much of the job of a DevSecOps engineer is asking developers to rethink their whole process in the name of building better software.
“In an interview for this role, I think it’s important to show that you know how to think through technology and cultural problems and can work with people and automation to solve them,” Migues added. “If the organization only wants to know if you can run a specific tool or drive some manual process, then they’re likely just using DevSecOps Engineer as the title because it looks cool, and it might not be the job for you.”
Do DevSecOp Certifications Matter?
Cybersecurity watchers remain divided over whether candidates for specific jobs need a certification, but most agree that getting one can help. In this case, for example, the DevOps Institute offers its DevSecOps Foundation certification. Others recommend more general cybersecurity certificates, including the Certified Ethical Hacker certificate.
“There are also certifications in adjacent spaces—development certifications, SysAdmin certifications and security certifications,” Cornell said.