DevSecOps model requires security get out of its comfort zone

On a more practical level, experts say security practitioners looking to build their DevSecOps chops should familiarize themselves with basic software design principles, as well as the fundamentals of mainstream coding languages, like PHP, Java, JavaScript, Ru”DevSecOps has expanded the security role quite dramatically — it’s almost an extra skill set,” Cobb said. “You’re such a valuable member of the team if you can talk one to one with a developer as they walk you through their code and understand the flow.”

While experts say security pros don’t need to write code themselves, they should get comfortable looking over developers’ shoulders to assess, test and address security vulnerabilities at every stage in a project’s lifecycle.

“Let’s say they’re using a tool such as Terraform, a coding language that allows you to standardize infrastructure as code,” Lee said. “Your security team understands Terraform, and they’re working alongside DevOps to make sure the default infrastructure is already secure.”

This workflow theoretically gives programmers more freedom and agility to experiment as they go, without having to submit their code for a separate security review after completion. In another example, Lee said security pros might help build a secure golden image container template on which the development team can improvise.

“They can add their own extra sauce,” he said. “Think of it as multiple chefs working on a meal together.”

Lee also suggested security pros explore security orchestration, automation and response tools, such as Demisto and Splunk’s Phantom, which enable security as code at scale.

The plethora of educational resources available today — vendor training materials, free online courses, YouTube tutorials, formal graduate programs — makes it relatively easy to learn DevSecOps skills, according to Hatter. He cautioned, however, that there is no substitute for hands-on experience.

“Try to work on some projects, even if they’re just hobAs an emerging discipline in an industry already struggling with a labor shortage, the DevSecOps model will likely present a wealth of professional opportunities for motivated security pros, Hatter added.

“There just aren’t that many people currently with that experience,” he said. “In many cases, companies are going to have to build these people.”