Specialists are even more difficult to find. Developers with just the right mix of UI, experience with Ruby or Python or Go, and experience with your framework of choice. Security specialists with Threat Intel, SIEM, Threat Hunting, IAM, Forensics, Endpoints, and so much more are hard to find. Engineers with experience on just the right version of Linux, open source software, patching, networking, and more are equally difficult. These specialist with just the right certifications command a premium.
As technology has evolved new hybrid positions have come to exist. Consider the Cloud Engineer, or the Site Reliability Engineer, the Data Analyst, the Data Privacy Officer, all combinations of one or more specialties. As the need for these hybrids have increased and the number of people with the relevant experience dwindles, companies have been forced to promote and grow people with experience in one half of the equation while learning the other half. Most cloud engineers are former systems admins who were thrust into the world of AWS, Azure, Google Cloud, etc. and learned their position through on the job training with a mix of new certifications. So too the data analysts, taken from the ranks of business analysts and taught all about SQL, statistics, probability, as well as the new tools and technologies therein. These Data Analysts have to relate their newfound insights from data back into business terms.
The world of DevOps is no different. The DevOps engineer usually comes from a developer or engineering background and learns the other half of the trade. Developers learn the systems covering things like Continuous Integration or Continuous Deployment. Engineers learn about source control management systems, integrating software testing tools, and scripting. And as more and more of the Continuous Deployment landscape moves to containers and Infrastructure as Code, Engineers are finding they have to learn more about writing code.
Enter the DevSecOps Engineer. These positions are the new ‘unicorns’ of hiring. The DevSecOps engineer has a background in software development, application security and testing, as well as an engineering background for linking all three of these disciplines together. While DevSecOps has been around for a while it seems there are very few with titles reflecting the discipline. Hiring for senior positions yields quite a few resumes with a DevOps background. By and large, the majority of DevOps candidates are engineers who made some tentative moves into software development. So few have skills in languages like Ruby, Python, or Go. Moreover, gauging their skillsets by way of public code repositories or contributions to open source projects would seem a wise approach. Another consideration is hiring senior software developers with a basic understanding of systems administration or DevOps and teaching them application security.
The true DevSecOps professional will have to have a more well rounded resume. Modern concerns include securing Kubernetes which brings application security concerns back to system security concerns like securing the kernel, isolating processes and access, and protecting the whole with advanced networking controls. DevSecOps engineers will also have to address the need for sending telemetry to security operations systems from cloud based applications and platforms. Dynamic DNS, infrastructure as code, programmable certificate management, secrets management, encryption as a service, and log aggregation at scale for both systems, infrastructure, and applications are all in the purview of the modern DevSecOps leader.
New DevSecOps positions will include hybridizations of older hybrids. Security focused Site Reliability Engineers or SSRE’s will take on the role of supporting application development teams with the various technologies and disciplines of DevSecOps, things like Threat Modeling, leveraging security pipelines, and securely deploying your applications, on-premise or in the cloud. Agile software developers will become security software developers, building out the new software based DevSecOps tech stack. And of course there will be the need for the architects who can tie it all together, who have or support the vision of DevSecOps in the enterprise, can develop the needed reference architectures, work collaboratively with people in technical and managerial roles, and guide their team mates in maturing your program.
There are few if any certifications in this new DevSecOps realm. There is no governing body suggesting this person or that is a certified DevSecOps architect for instance,.Reliance on metrics like positions held, time on the job, or responsibilities are no longer sufficient. The new paradigm has to shift to a focus on accomplishments and demonstrated abilities. What did you build? What can you do? How well do you fit in our corporate culture? What are you passionate about doing going forward? These are the new focus for the modern DevSecOps hiring manager. What can you offer to entice these newest ‘unicorns’? A salary commensurate with their abilities, an environment of transparency and collaboration, the opportunity to make a difference, and an environment where they get to work with best of breed and cutting edge technologies. Expect to compete with the biggest and best companies around as this very limited pool of resources is highly sought after.
Where will this talent come from? Should you look for people with more systems administration or software development in their background? My background as a software developer makes me lean towards the software developers. Good software developers have the right mindset. They understand programming languages in the context of the underlying systems they run on as well as networking. They understand the relevance of their software as it impacts the business bottom line. They have a basic understanding of security as it applies to systems, software, and the business. And most importantly, the best software developers have an insatiable curiosity. These are hackers in the very best meaning of the word.
As more of our modern security stack moves to virtualized or cloud based systems, the importance of DevSecOps will grow. I fully expect that eventually the worlds of application security and ‘traditional’ security will merge back into one. The future of that world belongs to these new DevSecOps positions.
