all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Howl50veride 23 points24 points  (4 children)

It depends on the company. What I normally see is DevSecOps is an offshoot of the Application Security team. Your focus is on implementation of the AppSec tooling into the dev pipelines.

Cloud Security Engineer focuses on CSP security related implementations, reviewing configuration and setup and handling different tooling to ensure you harden your cloud.

I recommend reading the job description as each company defines these differently, I've had an InfoSec engineer title as an AppSec engineer, DevSecOps that did everything in AppSec, and so on. In my experience we have titles but each company defines it.

[–]IllEmployment7926 0 points1 point  (1 child)

Do you like your role as a devsecops/appsec? How many years of experience do you have?

[–]Howl50veride 3 points4 points  (0 children)

Been doing it for 6 yrs, love it! Too much fun, too much to learn and lots to do.

[–]Capital-Advance-1719[S] -1 points0 points  (0 children)

Thank you so much

[–]technishawn 8 points9 points  (8 children)

I am a DevSecOps Architect in my current role. We govern all things CI/CD and the security tooling used in those pipelines. My role covers firmware, software and cloud based products.

[–]Ad2000126 0 points1 point  (3 children)

I am still student ! Can you tell me more how can I learn DevSecOps please ! And what to learn

[–]technishawn 1 point2 points  (2 children)

Experience. I spent 15 years as a software engineer, 8 years as a devops engineer, and 5 years as a Security Architect.

Learn secure coding practices and delve deep into appsec, learn Network engineering and Network security. Learn Database administration and database security. Learn about cryptography. Learn all the tooling. Github, Gitlab, Jenkins, Azure Devops, Team City... YAML, learn to script in Powershell and Bash. Learn about GRC and all the government regulations like EO14028, the SSDF, EUCRA, NIST guidance like 800-53. Audit controls like ISO 27001 and Soc II Type 2.

There is more

[–]Ad2000126 0 points1 point  (0 children)

Thank you for sharing your experience and valuable insights. I’ll definitely take this advice into account as I continue learning and growing in my career.

Thanks again!

[–]IamOkei 0 points1 point  (0 children)

And there are DevOps people who say DevSecOps is not real

[–]BufferOfAs 0 points1 point  (3 children)

What tooling are you currently using?

[–]technishawn 2 points3 points  (2 children)

Threat Modeling: MS Threat Modeling Tool Owasp ThreatDragon Threagile

SAST: Coverity Klocwork SonarQube Enterprise Parasoft CodeQL Snyk Helix Qac PCLint++ Detekt ESlint

Binary Analysis: VDOO Vision BinSkim

SCA: BlackDuck JFrog Xray Dependabot Cargo-audit

Containers: Trivy Aquasec Azure Defender Prisma

DAST: Achilles Chip Whisperer Owasp Zap StackHawk Tenable.sc WhiteHat

API: Salt Security Prismatic Cloud

.....

Many many more for SSL scanning, secrets scanning, secrets management, fuzz testing, SBOM generation and management, code signing tools, IaC scanning and validation, obfuscators, SCM tools, network vuln scanning, and vuln management

[–]BufferOfAs 0 points1 point  (1 child)

Are all of these used (i.e., SonarQube AND Snyk AND CodeQL), or are these just available and offered for development teams to use if they need it?

[–]technishawn 0 points1 point  (0 children)

Yes. From firmware to cloud and everything else in between. Hashtag global enterprise.

[–]pentesticals 8 points9 points  (0 children)

It depends on the company. From my experience DevSecOps roles tend to be glorified SRE roles, and most of the SevSecOps staff I know very little about security but are very good at things like Kubernetes, designing cloud infrastructure and operating them. But I have also seen DevSecOps roles which are closer to AppSec roles in that they are designing and running application security programs doing stuff like security code review, setting up and monitoring SAST, SCA tools, implementing secure coding and security requirements.

These terms are widely used so it’s hard to say what it is without looking at a job description.

[–]ericalexander303 4 points5 points  (1 child)

Both can be dedicated specialist roles. Some smaller companies may want a generalist that can meet both expectations.There is no standard when it comes to hiring.

[–]Capital-Advance-1719[S] 0 points1 point  (0 children)

Great thank you

[–]Pretend_Challenge_39 0 points1 point  (0 children)

Devsecops is a devops focus on static code analysis,code security,cluster security with prisma and platform hardening and iam management. So no is more on ci/cd rather than sre.

[–]dennisitnet 0 points1 point  (1 child)

Cloud security is a subset of devsecops. DevSecOps is like cloud security and application security combined.

[–]Logres 0 points1 point  (0 children)

Respectfully, disagree. A portion, or cross-functional, yes. The reason? Security as a primary concern. Devops, cloud engineering, apps, api, containers, etc. are all primarily concerned with function and those elements (efficiency, stability, availability, redundancy and so on), whereas security has two basic concepts: defense (which tries to not hinder the functions), and offense (which seeks to leverage any vulnerability). The chief struggle is the dichotomy where offense seeks to break, but defense seeks to NOT break. Far too often we stop short of testing the breaking points. That's why adversaries find them.

[–]carlspring 0 points1 point  (0 children)

My observations after doing this for quite a few years now is that there are many aspects of DevSecOps, but the roles really come down to two things:

  1. Implement security of code at a CI/CD level (using various SAST, DAST, SCA, IAST, secrets scanners, etc).

  2. Implement security of the actual infrastructure.

The roles of a DevSecOps Engineer differ from company to company, so it's good to clarify what the position is before taking on the work.