DevSecOps is all about the integration of software development, security, and IT operations — but not necessarily in equal measure. Instead, in conversations about DevSecOps, the emphasis usually falls primarily on making software development processes more secure. The role of security in IT operations tends to receive less focus.
You might think, then, that becoming a DevSecOps engineer would be a tall order for an IT operations engineer. DevSecOps may seem to require a distinct skill set — and perhaps even a different way of looking at the world — than the one an ITOps engineer typically possesses.
Fortunately, that's not the case. When you dig deeper, you realize that DevSecOps engineers are not all that different from ITOps engineers — and that the latter can transform into the former easily enough if they wish.
ITOps and DevSecOps
To explain why, let me first elaborate on the claim that IT operations gets short shrift within discussions of DevSecOps.
I don't have comprehensive data to prove that claim, but I can cite some relevant examples. Take, for instance, this list of DevSecOps best practices. Two of them — training developers to write secure code and managing code dependencies — are practices that apply specifically to developers, not ITOps engineers. The four others are generic security practices that any DevSecOps engineer could leverage; they don't relate to ITOps in a particular way.
The story is the same in this discussion of DevSecOps practices. Many of the recommended practices, like securing application development pipelines and implementing two-factor authentication, are tasks that fall primarily to developers. The others are general best practices that could apply to ITOps, but are not exclusive to it.
I could go on, but suffice it to say that my point is this: If you read advice on how to "do" DevSecOps, you'll notice that the bulk of it focuses on skills and processes associated with software development, not IT operations. In that sense, DevSecOps engineering may seem to be something for developers, not ITOps teams, to pursue.
How IT Operations Reinforces DevSecOps Engineering Skills
That doesn't mean, however, that ITOps teams need to sit on the sidelines when it comes to DevSecOps — or that IT operations engineers can't themselves become leaders within DevSecOps processes.
On the contrary, ITOps engineers specialize in a variety of skills that are critical to DevSecOps (even if they feature less prominently in DevSecOps conversations):
- Deploying applications: No matter how well (or poorly) developers have heeded security when creating applications, a variety of oversights or mistakes at deployment time could undercut security. Since ITOps engineers specialize in application deployment, they are best able to manage these risks.
- Security monitoring: IT operations engineers excel at monitoring applications in production to detect (among other issues) security risks.
- Incident response: ITOps teams know how to respond efficiently and effectively when something goes wrong, including a security incident.
- Feedback: In a DevOps- or DevSecOps-focused organization, ITOps engineers are adept at collecting feedback from production environments and sending it to developers and/or security teams to help make applications more secure in future release cycles.
All of this means that if you're an IT operations engineer today, you're probably already doing much of the work that goes into DevSecOps. The tasks you know best may not be as celebrated as those that involve coding or software architectures, but they're equally important for effective DevSecOps.
Additional Skills for Becoming a DevSecOps Engineer
Of course, this doesn't mean that IT operations engineers can turn themselves into DevSecOps engineers overnight. They'll still need to master the security processes and challenges that take place earlier in the application delivery cycle.
They'll need to understand, for instance, the security implications of different types of application architectures (like monoliths versus cloud-native software designs). They'll need to know how security risks can originate within software supply chains and how to manage those risks. They'll need to understand why storing secret data in plain text is bad even in development and testing environments.
But these skills are easy enough to learn for a seasoned ITOps engineer. And given that IT operations salaries are quite a bit lower (see chart above) than DevSecOps engineer compensation (which runs well into the six figures), there is good financial incentive for ITOps engineers to expand their thinking and skill sets to fit a DevSecOps role.
About the author
Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.
