Security breaches like those involving Coursera, Experian and Peleton earlier this year are driving home the need for DevSecOps to improve the security of APIs and other types of software.
DevSecOps is a growing field ripe with opportunities for IT professionals and software developers, especially now that workers and much of daily business have moved to the cloud because of the COVID-19 pandemic.
“DevSecOps is a combination of three words, development, security and operation,” said Infosec Skills author Remi Afon, an experienced DevSecOps consultant and cybersecurity specialist who recently released a DevSecOps learning path in Infosec Skills.
Why organizations implement DevSecOps
DevSecOps is a shift in thinking, adding security into software development and IT operations (DevOps) from the beginning rather than at the end. Without security, your development lifecycle is open to bugs and vulnerabilities, putting your organization and customers at risk.
“It is all about integrating security into development and operations from the moment you conceive the idea of developing the software, what we call ‘shifting left,”’ explained Afon. “It’s about identifying vulnerabilities as early as possible and fixing them before going live.”
While DevSecOps primarily concerns culture and process, it is a fast-growing niche with an annual growth rate of about 33 percent expected for the next five years, according to a recent market study published by Global Industry Analysts Inc.
“I’m quite passionate about DevSecOps and the benefits of applying secure processes and principles that augment business capabilities and enrich an organization’s relationship with their customers,” said Afon. “My new courses are for anyone curious about or aspiring to jump into DevSecOps space — coders, developers, information security and IT leaders. It’s a good way for organizations that want to implement DevSecOps to get their staff started.”
Infosec Skills Challenge
Join the quest for new skills, bragging rights and over $1,000 in prizes. Do you accept the challenge?
COVID-19 pandemic quickens the pace of change
The Coronavirus pandemic changed the way people and businesses work. The almost overnight shift to work-from-home combined with SaaS applications, collaboration services and connectivity are leading the changes and the need for greater security.
The sharp increase in cloud services and the near abandonment of enterprise networks are two more pandemic-induced trends with security issues. Once office buildings and data centers were vacated, many of the benefits of private infrastructure were negated.
These trends are significant for DevSecOps and IT departments because once organizations fully incorporate cloud services into their workplaces, few will go back to pre-pandemic on-site workplaces. A PwC survey earlier this year showed that most employees would likely work remotely more than half the time.
Cloud-native applications require DevSecOps practices and tools to incorporate cloud development and deployment and at the same time maintain security.
“According to Gartner, DevSecOps practices will be embedded into 80 percent of rapid development teams by the end of 2021,” said Afon. “It’s a new area in the security realm. One of the challenges is that most organizations don’t understand DevSecOps, and they’re not really sure who should be managing DevSecOps within the organization.”
Learning DevSecOps with Afon
Afon said his new DevSecOps learning path is focused on threat modeling and tools for security testing like software composition analysis, secret management, and static and dynamic application testing.
“We also dive into the software development lifecycle, and students are introduced to basic container security with Kubernetes and Dockers — these are kind of the latest technology.”
The goal of his courses is to teach security practices, principles and tooling for the software development processes. You will learn how to design and build security into the continuous integration and continuous delivery (CI/CD) pipeline using processes and tools to automate software delivery. By the end of the learning path, you will acquire core DevSecOps skills, such as threat modeling, SCA, SAST, DAST and container security.
There is also a hands-on project to put into practice what you’ve learned about DevSecOps.
At the end of this eight-hour course, you will have the knowledge and skills to integrate security into DevOps platforms and run secure systems.
“These are good skills to have, especially if you are trying to advance into DevSecOps,” Afon added.
Infosec Skills Challenge
Join the quest for new skills, bragging rights and over $1,000 in prizes. Do you accept the challenge?
Who should learn DevSecOps?
Afon said anyone with basic IT knowledge could benefit from this learning path, and it can open doors for them into a new career.
“I’ve made this course as simple as possible because if you want to jump into DevSecOps, you need to understand what software is all about, understand things like vulnerabilities and threats,” he said.
“It’s going to be easy for whoever attends this course to be able to jump into and use the commercial tools available out there. Anybody that has got basic computing knowledge can easily pick up this course and also jump into that DevSecOps space.”
Sources
- Coursera Flunks API Security Test in Researchers’ Exam, ThreatPost
- Experian API Exposed Credit Scores of Most Americans, Krebs on Security
- Peloton’s leaky API let anyone grab riders’ private account data, Techcrunch
- Valued to be $17 Billion by 2026, DevSecOps Slated for Robust Growth Worldwide, PR Newswire
- It’s time to reimagine where and how work will get done, PwC
- 12 DevSecOps Trends to Watch Right Now, DevOps Digest
- 3 DevSecOps trends to keep an eye on, TechTarget: Search IT Operations
- DevSecOps and the cyber imperative, Deloitte UK Tech Trends 2019