Early in software development, Development and Operations worked separately and sequentially: Developers wrote and tested code, then handed it over to Operations (typically an Infrastructure Engineer or Systems Administrator) for production deployment. This approach had drawbacks: code often failed in production, and new features were delivered in large, infrequent releases, lacking early testing and user feedback.
DevOps emerged in the late 2000s as a response to these inefficiencies, enabling companies to release software more quickly. Developers take more responsibility for their code running in production, and shared goals and collaboration between Developers and Ops teams means more stable, reliable software. There was still one snag: in this model, Security is often an afterthought. Whereas DevOps favors moving quickly and releasing early and often, Security prioritizes delivering secure, reliable software, which can slow down delivery.
“DevSecOps emerged as an adaptation of DevOps and Security, two separate business functions which typically encountered friction between them,” says Kyle Richards, founder of Kioni Talent. Bringing Security into DevOps aligns teams’ goals and responsibility, ensuring collaboration to deliver secure, functional products. Security becomes an integral part of the entire software development and delivery process.
Learn something new for free
Kyle has a degree in Computer Science and over 10 years’ experience recruiting in Software Engineering, CyberSecurity, Infrastructure, and DevOps. Below, he shares insights for learners interested in pursuing a career in DevSecOps.
What types of roles can you have in DevSecOps?
Being a relatively new discipline, DevSecOps roles can take a few forms and have different names, Kyle says. “Some companies hire DevSecOps Engineers or Specialists, while others still simply use the ‘DevOps’ title whilst including an element of security in the job description.” Broadly speaking, these people are responsible for integrating security processes into the software development and delivery lifecycle, enabling companies to ship quickly without sacrificing security.
The size of the company can also influence how cross-functional the roles are. “Larger companies are more likely to have dedicated DevSecOps teams, whereas at a startup a DevOps person is more likely to be doing DevSecOps by default as they may not have a security team (or if they do, it’s very small or outsourced),” says Kyle.
All of this means it’s a good idea to keep an open mind and not limit your job search to specific titles including “DevSecOps,” but rather to scan job descriptions for responsibilities that span development, security, and operations. Some companies might not hire DevSecOps professionals, but rather Site Reliability Engineers (SREs), who focus more on software engineering but can also encompass security and operations.
What skills do you need to work in DevSecOps?
While a DevSecOps professional won’t spend their whole day coding, some programming knowledge is critical, as tasks such as automating security processes and integrating them into continuous integration and deployment (CI/CD) pipelines will likely be expected of you.
Some exposure to the full software development and delivery lifecycle is important, including:
As with DevOps roles, a key part of DevSecOps careers is collaboration with other functions, so working on your interpersonal skills will also help prepare you to step into DevSecOps roles.
It can be intimidating to keep up with developments across multiple disciplines, so being a continuous learner with a growth mindset is also a huge asset.
How to gain DevSecOps experience
Junior and entry-level DevSecOps positions tend to be hard to come by because DevSecOps requires expertise in two disciplines. “One of the best ways into DevSecOps is to start by focusing on either DevOps or Security,” Kyle says.
By gaining experience in one and upskilling in the other, you can build a strong foundation to transition into DevSecOps, Kyle says. So if you start in DevOps, you can train in security (or vice versa) outside of work or as part of your ongoing professional development. “Once you have a good foundation, then you’re in a position to move from DevOps or Security into a DevSecOps role,” he says.
Want to get started in DevOps? In our free course Introduction to DevOps, you’ll learn the principles of DevOps, including key practices like CI/CD, monitoring, and containerization. You’ll come to understand the differences between DevOps and traditional operations, as well as the importance of scalability, observability, and resiliency in modern software systems.
If you’re more interested in cybersecurity, consider our skill path Fundamentals of Cybersecurity. You’ll learn how hackers gain access to systems, the dangers of ransomware, and whether individuals or companies are at risk. Guided by CompTIA’s Security+ Certification, you’ll gain skills in social engineering techniques, identifying common cyber attacks, and exploring security assessment strategies.
How to break into DevSecOps
If your goal is to work in DevSecOps, think about your past experience and transferrable skills. “Maybe you’ve done software development, which gives you a technical understanding,” Kyle says. “Now you can take a course in DevSecOps to give you more depth and upskill in the discipline.” We recently launched a suite of new, free DevSecOps courses to help you round out your understanding.
DevSecOps can be a great field for career shifters, because it offers a unique opportunity to build on your previous experience and skill set. This is where writing a great cover letter can come in. “You could say, ‘I was working in DevOps, but I really wanted to develop my understanding of Security. I spent my personal time upskilling in Security so that my next role could combine my personal and professional work,’” Kyle suggests. Check out these additional tips for writing a resume for DevOps or cybersecurity.
Kyle recommends following companies on LinkedIn that hire for the types of roles you’re interested in, as well as individuals who are working in DevSecOps (here’s some inspiration for great cybersecurity follows). You’ll start to see the content they share and the discussions they join, which can highlight unfamiliar topics and areas for further learning.
Then, once you’ve upskilled and are ready to apply for DevSecOps jobs, you can optimize your resume and LinkedIn profile by focusing on your relevant skills instead of just the roles you’ve already held, drawing attention to the effort you’ve made to broaden your knowledge and skill set. Check out this article for advice on crafting a skills-based profile.
Ready to start diving into DevSecOps? Visit our cybersecurity course catalog for a host of new, free DevSecOps courses to get started.