Roadmap for DevSecOps

Roadmap for DevSecOps. What should you learn?

Point 1. I think the correct answer to this question has always been and will be the answer: go to a website with vacancies, find the chosen position and read 20-30 vacancies, write down repeated terms and study what it is . This applies to any country and any position, unless of course you choose to learn something that is not yet on the market. In this case, where did you find out about this, start looking for information about the necessary skills from there.

But are we lazy people? Personally, yes. Everyone always wants to look for something on their own, and find a ready-made roadmap or mindmap, where smart people have drawn up a schedule for you of what you need to learn. In that case, I found some interesting materials for you:

Are you sure that before becoming a DevSecOps, you studied DevOps tools and learned how to apply these practices?

If not, then go back to point 1, for the red pill. If you have drilled the blue pill, then here is my answer to the question: “What does a DevOps engineer need to know?”

Version Control: Gitlab

CI/CD tools: Jenkins, Gitlab, (Agro CD is gaining popularity)

Container orchestration: kubernetes, docker-compose (more rarely Docker Sward, OpenShift is needed)

Deployment automation: Ansible, Terraform

Programming languages: Python, Bash

Storing Secrets: Vault

Monitoring: Prometheus, Grafana [It's time to retire Zabbix]

Logging: ELK

If the words above did not seem unfamiliar to you, or as my friend says, “in the Elvish language,” then congratulations, you are a DevOps engineer :)

Returning to the topic of the post, what should you learn DevSecOps? Everything DevOps knows and:

Finding secrets: GitGuardian (https://github.com/GitGuardian/ggshield ) , Gitleaks (https://github.com/gitleaks/gitleaks ) , truffleHog (https://github.com/trufflesecurity/trufflehog ) , DeepSecrets (https://github.com/ntoskernel/deepsecrets ) (the last one is from my friend Mikhail from Avito Tech, his tool has a non-standard approach to finding secrets)

SCA: Snyk (https://github.com/snyk/cli ) , Syft (https://github.com/anchore/syft ) , Cdxgen (https://github.com/CycloneDX/cdxgen ) , Trivy (https://github.com/aquasecurity/trivy ) , Dependency Track (https://github.com/DependencyTrack/dependency-track )

SAST: Semgrep (https://github.com/semgrep/semgrep ) (falls a lot, use only in conjunction with something), Bearer (https://github.com/Bearer/bearer ) , CodeQL (https://github.com/github/codeql ) , Spotbug (https://github.com/spotbugs/spotbugs ) , Terrascan (https://github.com/tenable/terrascan )

DAST: OWASP ZAP (https://github.com/zaproxy/zaproxy ) , nuclei (https://github.com/projectdiscovery/nuclei ) , Dastardly (https://portswigger.net/burp/dastardly )

Container Security: Grype (https://github.com/anchore/grype/ ) , Open Policy Agent (https://github.com/open-policy-agent/opa ) , kube-hunter (https://github.com/aquasecurity/kube-hunter ) (not actively supported), kube-bench (https://github.com/aquasecurity/kube-bench ) , Falco (https://github.com/falcosecurity/falco ) , Tracee (https://github.com/aquasecurity/tracee ) , Anchore (https://github.com/anchore/anchore-engine ) (not actively supported), Clair (https://github.com/quay/clair )

Conclusions:

1. We have very few open-source DASTs, and there are also few commercial high-quality working solutions.

2. The scope for developing commercial solutions is enormous, as is the potential in this area.

3. DevOps is not very difficult to learn, but DevSecOps is already a great learning experience, tested on yourself.

4. DevSecOps methodologies and tools are rarely used, so the market is waiting for new solutions and approaches.

5. When I heard about the exorbitant salaries of devsecops engineers, I thought that the situation was like with ML engineers and Data Scientists at one time, but no. There is a really huge pool of knowledge here, which includes at least appsec and even pentest.