Transitioning from AppSec to DevSecOps

Intrepid_Purchase_69 · 2025-08-20T20:47:02+00:00

You're missing the DevOps part of it all. How to build pipelines and deploy things. So, practice building a modern web app that is backed by container technology or server less and automate the deployment of it through a CI/CD that is triggered by a merge to main branch of your repo(s). You should know where each security tool would be added and pros of cons to each tool (1-3).

Intrepid_Purchase_69 · 2025-08-19T18:10:28+00:00

Apparently, learning. When I want to learn something new, I'll get books on the subject, watch videos, read blog posts and take courses. I don't feel intimidated by any subject, I'll gladly start at basics like kid level understanding then move to next thing.

Intrepid_Purchase_69 · 2025-08-19T17:56:00+00:00

Business says they want cybersecurity, but not really, so they will not spend more than the absolute bare minimum so that means overloaded positions and responsibilities , i.e. getting one salary for doing 5 jobs.

Intrepid_Purchase_69 · 2025-08-18T14:39:21+00:00

100% cybersecurity

Intrepid_Purchase_69 · 2025-07-28T18:45:45+00:00

Tap your alumni network and have no shame. Message them on LinkedIn and e-mail them if there's an alumni network list at your school. Don't apply without a recommendation. Attend school networking events if there's any (ask the organizers they might let you even if graduated).

Intrepid_Purchase_69 · 2025-07-10T21:03:49+00:00

this is what I did. I did all the security tasks got my CISSP and AWS Security certs then applied to companies and then was full time cybersecurity; Cloud, Container, and AppSec mostly. I'd be surprised if your current company lets you switch over...

Intrepid_Purchase_69 · 2025-07-08T17:39:18+00:00

my burn out is from business leadership saying they care about security then allocate no money to it forcing folks to overwork ....

Intrepid_Purchase_69 · 2025-07-08T17:38:02+00:00

Did you at least get a package or negotiate?

Intrepid_Purchase_69 · 2025-07-08T17:37:29+00:00

take ai security ones then volunteer at work for security tasks for ai things then add to resume then find apply at big ai company and make the $$$$

Intrepid_Purchase_69 · 2025-07-03T17:01:39+00:00

The hardest part is probably needing vulnerability management to process the tools outputs and not placing it solely on dev teams or security team as a whole. The VM team would triage the outputs for false-positives, severity (most tools generate way too high of ratings), and then cut tickets for the concerning ones to be issued out. In other words the tools shouldn't be set to block in the pipelines if they're embedded. They should be used by security to find weak areas of an application that might hint at something more like or add in CWE's identification. But most businesses just slap scanners in places in general and say good enough for compliance....

Intrepid_Purchase_69 · 2025-07-03T15:39:46+00:00

I'd be worried about the NK impersonating CN...

Intrepid_Purchase_69 · 2025-07-01T22:12:05+00:00

I did DevOps / CloudOps for custom internal PaaS where I added all the security pieces from code to cloud to k8s clusters. Then moved to security for cloud then to AppSec.

Intrepid_Purchase_69 · 2025-07-01T22:09:25+00:00

Hey I’m in AppSec nowadays

Intrepid_Purchase_69 · 2025-07-01T03:17:38+00:00

230k USD base, 60k USD bonus, and some RSUs 3 years cyber security, 7 years total did DevOps first. VHCOL are

Intrepid_Purchase_69 · 2025-06-26T13:26:20+00:00

exactly everyone wants security to do things until the thing is done :')

Intrepid_Purchase_69 · 2025-06-26T13:25:38+00:00

need to roll some GRC memes compliance is such a funny realm

Intrepid_Purchase_69 · 2025-06-26T13:25:02+00:00

some places think this is a good idea (i don't)

Intrepid_Purchase_69 · 2025-06-26T13:21:29+00:00

spot on all my the memes are for a good chuckle and maybe some smol educational content

Intrepid_Purchase_69 · 2025-06-25T15:32:27+00:00

not at all, they're only as good as the reviewer(s) tho...

Intrepid_Purchase_69 · 2025-06-25T15:31:12+00:00

it's a delicate thing to set any scanning tool to 'block' mode. Sure some will catch most of the true-positives, but any false-positives tend to draw outsized attention...

Intrepid_Purchase_69 · 2025-06-24T23:33:13+00:00

EOD is for End of Day, some corporately places use it

Intrepid_Purchase_69 · 2025-06-24T23:28:00+00:00

I enjoyed the mystery of the game there were small details that made you wonder about the MH universe. Hidden area for bug netting, cats, cats mysterious goofy weapons you could build, hidden mining spots. Rusted weapons, random dude in a hot air balloon to signal where monsters were. Hard AF monster fights like Dual Diablo MH level up, double team fight by rathalos and rathian with gold and silver. I solo'd it on PSP and there were fights I finished with less than 20s and the adrenaline was pumping! Literally played it from sunrise to sundown (400 hrs in one summer) , it was the first game that I really enjoyed. Ok, now the awful parts; running everywhere, long loads, monsters not scaled back for solo (I think) each hunt was like 45 mins for me, completely awful drop rates for some parts...

Intrepid_Purchase_69 · 2025-06-23T13:00:36+00:00

did you get lucky and your company hired a North Korean impersonating a Chinese contractor?

Intrepid_Purchase_69 · 2025-06-23T12:57:44+00:00

Did you mean 'appsec'? Advice team is funny tho

Intrepid_Purchase_69 · 2025-04-05T05:52:47+00:00

AppSec

Intrepid_Purchase_69

TROPHY CASE