πŸ“‹
A Journey From IT to IT Security
  • IT Training Resources
  • IT Security Roles
    • Web Application Security Specialist
      • Training Guide
      • Self-hosted Training Lab
        • Vulnerable Web Apps
      • Web Security testing Methodology
        • 1 Footprinting
        • 2 Scanning
        • 3 Enumeration
        • 4 Gaining Access
        • 5 Maintain Access
        • 6 Covering Tracks
        • 7 Vulnerability assessment
    • DevSecOps Engineer
      • Training Guide
      • Building a DevSecOps CD/CI Pipeline
        • Self-hosted DevOps CD/CI platforms
        • Software Component Analysis (SCA)
        • Static Application Security Testing (SAST)
        • Dynamic Application Security Testing (DAST)
        • System Hardening
        • System Compliance Analysis
        • Vulnerability Analysis
      • Ready-to-use and train DevSecOps CD/CI Pipeline
    • Chief Information Security Officer (CISO)
    • Digital Forensics Investigator
      • Forensics Methodology
    • Cloud Security Engineer
      • Getting started with kubernetes
  • Resources
    • IT Basics
      • Networking Basics Study Guide
      • RBAC / ABAC
      • Anonymous Surfing
      • Python Programming
      • Infrastructure as code
      • Containers
        • Docker
        • Docker security
      • The Security Development Lifecycle (SDL)
    • Literature
    • Useful Tool Tutorials
    • Useful Online Tools
    • Exploits
  • Unsorted
    • Gitlab-ci with docker-compose
Powered by GitBook
On this page
  • For whom?
  • What is DevSecOps?
  • As an IT Professional, what skills do I need to become a DevSecOps Engineer?
  • Computing Basics
  • Software Development Basics
  • Operation Basics
  • Testing
  • Security
  • Culture
  • As a company, how can I implement a DevSecOps approach?
  1. IT Security Roles

DevSecOps Engineer

From IT Engineer to DevSecOps Engineer

For whom?

  • Test Engineers who want to add security testing to their skillset.

  • DevOps Engineers who want to add the security into their builds.

What is DevSecOps?

DevSecOps is a state of the art software development approach where everything comes as code. The topic covers different technical domains of the software development lifecycle. A DevSecOps Engineer integrates into agile teams and works within the continuous delivery development process. She/He can administrate the software development pipeline and integrates security tools in the different stages as deployment steps. She/He secures containers in the deployment process and can administrate cloud based nodes. DevSecOps Engineers are highly quality aware and monitor changes, compliance and behaviour (bugs & vulnerabilities) of a software project. Important topics of DevSecOps are

  1. Code analysis/Vulnerability analysis. CSA, SAST, DAST, and Security as Code.

  2. Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.

  3. Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.).

  4. Threat investigation – identify potential emerging threats with each code update and be able to respond quickly.

  5. Vulnerability assessment – identify new vulnerabilities with code analysis, then analyse how quickly they are being responded to and patched.

  6. Security training – train software and IT engineers with guidelines for set routines.

As an IT Professional, what skills do I need to become a DevSecOps Engineer?

As DevSecOps skills cover a widespread set of IT competences in the following areas.

Computing Basics

You should know basic unix commands, know how to configure different machines (OS). You should have a solid understanding of networking.

Project: grab a new machine and configure it with only the tools you need for your work. Install Vm's and learn unix commands. Create and monitor your home IoT network.

If you have a Bachelor's or Master's Degree in Computer Science or related field, you should be familiar with the basics. You might consider to refresh some tooling knowledge or some theory like the OSI network model.

Software Development Basics

Programming skills are important. You should at least know one interpreter language like python very well. Java, JS, Python, PHP, any language skill is good. Very important know the tools. git, IDE's, Database tools etc.

Project: create an app in python or javascript (nodejs). Try a free coding project.

You should understand simple concepts of creating software especially web applications. If you are not keen or o not have time to develop something on your own, you could consider watching the process of developing a whole app on youtube or a twitch channel.

Operation Basics

You should know how the software development lifecycle of bigger projects look like. Steps that are involved, tools. You need to understand container and cloud computing. You should know how to use docker and cloud services such as Google Compute Engine, Microsoft Azure or OpenStack. You should at least know the basics of container ochestration tools like kubernetes. You should be familiar with infrastructure automation tools like chef, puppet, terraform and ansible, compliance tools like Chef Inspec or cloud compliance tools such as fugue.

Project idea: dockerize your app. Use at least one infrastructure automation tool. Set up your own CD/CI server and add your project to it. Create a build pipeline for your app. Play with container orchestration tools like minikube, try out a free tier account on one of the biggest cloud computing providers AWS, google or MS Azure.

You should understand the architecture and the different layers of cloud computing. You should be able to relate popular tools to each component within the architecture.

Testing

You should know what the testing pyramid is. If you only unit-test your own application, this is not sufficient but can help in understanding the idea of setting up a tes. Understanding of integration tests and mocks is a good foundation. Testing is a complex task when it involves many different components/systems and technologies. You should be aware of this.

Security

Understand fundamental security rules and best practices. How to secure your internal LAN, configure iptables. You should know how to secure web applications and furthermore how to attack them. Know the OWASP Maturity Model and security recommendations.

Project ideas: secure your home lan, secure your devops pipeline, check your project for insecure code, take counter measures against ethical hacking (check the internet for your name, delete data), keep only useful internet accounts, change all passwords, use a password manager for all of your passwords.

Culture

Unless the culture of a whole teams isn't agile enough, you will never be able to make everything as code. If you work in a big team suggest to get a agile facilitator who could assist you in the process of creating a transparent, self-managed and highly responsible culture in your team.

As a company, how can I implement a DevSecOps approach?

OWASP defines a DevSecOps Maturity model which is state of the art and the most implemented ​in the industry.

Previous7 Vulnerability assessmentNextTraining Guide

Last updated 3 years ago

IT Training Resources