DevSecOps: The anatomy of a unicorn

For the past few months I have spent quite a bit of time interviewing candidates for DevSecOps positions, we are not looking for any one particular position. We have a need for a number of people with differing levels of seniority/experience. However this has been a largely unsuccessful task. As a result I have spent some time thinking about what makes a good DevSecOps person, and have come to the conclusion there is no single descriptor. When considering the roles we are looking for there are actually 3 different disciplines, as well as security, involved in this field:

Whilst any candidate needs to have a blend of all three, they are almost certainly going to be significantly stronger in one or two and probably much weaker in the third. What is more important is the common themes that run through all of these disciplines when considering DevSecOps:

Looking at these key drivers, it becomes quite clear that looking for a fully fledged DevSecOps person is not necessarily the right approach. If we can find someone with deep skills in one of the disciplines, and a good appreciation of the four themes; alongside a passion and capacity to learn the other disciplines then that is the right person for the role.

I would like to think a good percentage, if not the majority of engineers in all three disciplines have some awareness of security concerns and issues. As such security skills are not necessarily the primary differentiation here, as a lot of the additional skills needed can be taught, what is important is the candidates have good skills with automation, monitoring, testing, and deployment technologies. This is not to say security skills are not important, the right candidate should show an aptitude and interest rather than having worked in a security role.

Taking this into consideration I can see the following personas that could be suitable for this type of role.

The Software Engineer

Has several years experience in developing applications, in a secure fashion. Has experience with defensive development techniques, and is familiar with the OWASP foundation, and the various projects supported by it including the top 10 vulnerabilities and ASVS.

They have good experience working with Software Configuration Control tools, and integrating these tools with continual testing solutions. They have an understanding of SAST and DAST tools and techniques. They have worked with integrated DevOps teams and used automated deployment tools to deploy not just the applications but any associated infrastructure.

The Cloud Infrastructure Engineer

Has a deep understanding of networking and routing, including firewall design and deployment. Has a few years experience deploying infrastructure as code within a cloud platform. Has experience working with automated deployment tools to deploy complex environments, and update these environments.

They have good experience using configuration management tools. Has experience defining and creating automated tests to ensure the environments comply with requirements. Good understanding of server hardening techniques, ideally has good awareness of the CIS benchmark standards.

The Operations Engineer

Has several years experience managing applications and services, with a mix of Windows and Linux environments. Good knowledge of, and experience with configuration management and change control. Has spent some time creating automated scripts for managing and monitoring the configuration and health of the services being managed. They have worked with both infrastructure and software engineers in an agile environment, and have used automated tools to manage configuration drift during development and deployment processes.

Good understanding of server hardening techniques, ideally has good awareness of the CIS benchmark standards.

The Security Operations Center (SOC) Analyst

There is another profile which is worth considering the Security Operations Center (SOC) Analyst. This person would have several years experience within a SOC and has used automation tools to help filter and prioritize the number of alerts, perform threat hunting, and automate responses. Has several years experience with SIEM tools, and some experience with commercial SOAR tools. Has worked with infrastructure and operations support teams to integrate security monitoring into normal operations management, as well as ensure the automated responses were not disruptive to normal service.