In an age of frequent data breaches and hackers who are constantly finding new ways to gain access to systems and devices, proactive IT teams have realized that security needs to be everyone’s job. That’s where DevSecOps comes in. It’s a combination of the development, operations and security functions that allows teams to assess and address potential threats at every stage of a project. We talked to James Stanger, CompTIA’s Chief Technology Evangelist, to better understand what DevSecOps is, how it’s changing IT teams, and how pros can get the skills they need to work in this type of environment.
CompTIA AITP: How did the practice of DevSecOps begin?
James Stanger: Let’s start with a trip in the 'Wayback Machine' to look at a more traditional way of how IT teams work within companies: Developers code and IT pros manage infrastructure or operations. Traditionally, they are isolated from each other because they have different interests and priorities.
Here’s how this works in practice: A developer will develop code on a test server. Once the development cycle is finished, the developer drops it onto an infrastructure server, and everyone expects it to work. But then testing doesn’t go well because the environment has changed during the development phase, so the developer has to reassess and make adjustments.
DevOps is when you put these two functions together. Instead of developing in isolation, developers and infrastructure pros test code at various interface points along the way, so they don’t have to completely start from scratch.
Management, developers and operations are all looking at the same scoreboard, all progressing toward the same goal, and everyone is on the same page. They’re also moving from waterfall-style project management to agile, kanban or scrum project management. Everyone sees what is being done, participates in active sessions where they exchange ideas, and if they see something that doesn’t make sense, they align to it or raise the red flag.
CompTIA AITP: Where does security come into the picture?
JS: DevOps is focused on allowing developers and operations to talk to each other, so we develop the right thing. But, for example, when a team is tasked with getting an app out right away, the first thing that gets cut is security because it slows things down.
To illustrate this, a few years ago there was a denial of service attack that brought down Netflix. Some clever bad guy found out that baby monitors had been put on the market with code that was developed insecurely. These very powerful baby monitors had default passwords that no one could change—the manufacturer hadn’t followed a proper DevSecOps approach and it brought huge companies down.
Security would say, for the baby monitor example, “You only need to listen one way, turn it off and turn it on. You don’t need all this powerful code, and you should be able to change password.” But instead of adding security at the end of the process, DevSecOps teams bring in security professionals early to simultaneously identify security implications as code is being developed and tested.
CompTIA AITP: So DevSecOps isn’t necessarily implemented by a person, but a team?
JS: It’s a process. To effectively do this, you’ll need a team of people, including a project manager who coordinates all of the developers, operations and security professionals.
CompTIA AITP: If an IT pro wants to work in a DevSecOps environment, what skills do they need?
CompTIA AITP: Where can an IT pro or aspiring pro start to gain these skills?
JS: CompTIA certifications can be a good place to start, and the CompTIA Infrastructure Career Pathway includes certifications that align with DevSecOps.
First, you have to understand the device you’re coding to, the endpoint—whether it’s a car, a crane, a PC, a fridge, a phone, a watch, etc. CompTIA A+ teaches the fingerprints of what a device does.
Once your device sends a transmission—to buy something or contact customer service or whatever—CompTIA Network+ helps professionals gain the skills needed to implement functional networks.
Because so much is being done in cloud, CompTIA Cloud+ is also important for network professionals. The skills covered by CompTIA A+, CompTIA Network+ and CompTIA Cloud+ apply to both DevOps and DevSecOps.
Finally, for DevSecOps, CompTIA Security+ helps IT pros make sure hackers can’t get in. These skills are fundamental for any security pro, and there can’t be any gaps in knowledge when it comes to protecting the network.
Join us for a DevSecOps Webinar.
Are you ready to learn more about in-demand skills employers are seeking? Join cybersecurity and transformation strategist and evangelist Laszlo Gonc, co-founder and managing partner, Next Era Transformation Group, LLC and CEO and president, Gonc & Associates, LTD, for The Path to Modern DevSecOps, an informative and educational webinar on March 12 at 3 p.m. Central. During this webinar, you'll:
- Find out what is DevSecOps and why it matters.
- Understand what skills are required to be a DevSecOps engineer.
- Learn six best practices for successfully practicing DevSecOps.
- Discover online resources to upgrade your talent toolbox.