Explaining DevSecOps Engineer FULLY (Is It Right For You?)

Thanks for having our host on the show Gerald! You are a good interviewer :)

CloudSecurityPodcast

I have a strong security architecture not devops. The learning curve was steep but possible. SANS Sec540 training helped glue everything together.

geekspeak

Thanks for having me on to talk about DevSecOps Gerald! :)

AshishRajan

Your video is not explaining the role of a DevSecOps Engineer "FULLY." I am a DevSecOps Engineer and the role of a "DevSecOps Engineer" is much, much more than just building and maintaining CI/CD pipelines for deploying an application into Production with additional security checks. This is a major misconception people have with the term DevOps and DevSecOps as a cultural methodology vs what an actual DevOps or DevSecOps Engineer actually does. We do everything a DevOps Engineer does (the role of a Cloud Engineer and the role of a Systems Administrator, utilizing Infrastructure as Code/automation), but we also automate, manage, and maintain the security tools in addition (firewalls, IDS, IPS, etc) to meet compliance set fourth by RMF. In short a DevSecOps Engineer (at least at my organization) does DevOps (again which is not strictly CI/CD <-- major misconception made by people not in the field, as a DevOps Engineer majority of the time is actually an Engineer in Systems and Operations who goes about their role leveraging automation) + we handle all of the the "hands-on" Blue Team Security Engineering and operations minus the hands-off security engineering RMF handles (Security Plans, etc). I have a ton of respect for Ashish Rajan for being an ambassador for the Cloud Security Engineering space (Ashish, I love your stuff and I am sub'd to your channel!), however I would have recommended that you interviewed someone who has actually held the position of "DevSecOps Engineer" to explain the role. It's also misinformation that organizations don't have Sr. DevSecOps Engineering roles. We have many on my team and it's a role that exists at many other organizations. Also, I have never seen the "DevSecOps Engineer" title existing in "Big Tech." At least from my experience, those companies typically have their separate Security Engineer and DevOps Engineer roles. That being said, the title has definitely been embraced within the Federal Government sector.

fxhrlifer

Thanks for the great video!

I agree about automating SAST and the mountain of false positives it can create being a massive headache.

I am currently working as a DevSecOps Engineer. I would really like to hear about Ashish's journey from DevSecOps to CISO. That is my long term career goal, but I struggle with what to do next to make sure I am moving in that direction.

TheSpaniard

Is DevSecOps considered a track within Cybersecurity? I’m currently an ISSO and work with the RMF (GRC) and would like to pursue this track in the cleared space. DevSecOps is huge and new with the DoD and all the software factories standing up.

CFH

This was such a good, informative interview. I learned so much and I am looking at learning some DevSecOps soon!

PressThatButton

That was excellent. I had been wondering exactly what devsecops meant. A good goal to focus towards

cheftp

But once the dev ops pipeline is established after that does this DevSecOps engineer would do. What is mean if we we have team of 3 to 4 people they would have not much to do after the pipeline establishment

satish

great video..i am currently into SOC in India.only problem for me are rotating shifts every week which is not suitable for my health..can you suggest roles after SOC that does not require shift work..any videos..btw great video

pauloseputhenpurackal

Timestamps

0:00 Preview

1:26 What is the DevSecOps Engineer job?

7:07 What skills are needed to do the job?

12:13 What is/are the PROS of the job?

13:57 What is/are the CONS of the job?

17:12 Best way to get these skills?

DanteakaHarsh