5 Key Learnings on How to Get Started in DevSecOps

For developers and aspiring security professionals, the path to embedding security into development workflows can seem daunting. During DevSecCon’s recent community call on How to Get Started in DevSecOps, security experts Sonya Moisset (Staff Security Advocate), Hung Ngo (Cyber Security Specialist), Vladimir Mikhalev (DevOps Engineer) from the DevSecCon community shared actionable advice, practical steps, and insights for navigating this critical field. Here are the top five takeaways from this call.

Play Video

1. Understanding DevSecOps: A holistic approach

DevSecOps is more than just a buzzword—it’s a transformative philosophy that seamlessly integrates security into every software development lifecycle (SDLC) stage. By shifting security from a blocker to an enabler, DevSecOps ensures that security is proactive and continuous.

At its core, DevSecOps is built on key principles:

• Security as code: Involves embedding security controls and policies directly into your CI/CD pipelines. For example, automating vulnerability scans during the build process ensures that issues are flagged and addressed early.

• Shift left: By moving security earlier in the development process, teams can identify vulnerabilities before deployment.

• Automation and tooling: Tools like SCA (Software Composition Analysis), SAST (Static Application Security Testing), and DAST (Dynamic Application Security Testing) reduce manual effort and provide immediate feedback to developers, enabling faster fixes.

• Collaboration and shared responsibility: When developers, security teams, and operations work together, security becomes a seamless part of the workflow rather than an external function. This means having regular cross-team syncs and open communication channels.

Continuous monitoring and feedback: Observability and runtime security are essential to detect and respond to threats in real time, even after deployment. Tools like logging and telemetry platforms can provide valuable insights into potential vulnerabilities.

2. Charting your path: Panelists’ journeys into DevSecOps

The panelists shared their paths into DevSecOps, offering practical advice for newcomers. A common theme was the importance of community and hands-on learning. Here are the key takeaways from their personal experience:

• Join communities: They gained valuable networking and learning opportunities by joining professional groups and forums. Communities like OWASP and DevSecCon can help you connect with like-minded professionals.

• Seek mentorship: Finding mentors who can guide your journey is invaluable. Mentors not only provide advice but also open doors to opportunities.

• Earn certifications: Certifications, especially event-free ones, demonstrate your commitment to the field and can also catch the eye of recruiters.

• Ask questions: Engaging with security teams and participating in security champion programs are great ways to learn and grow.

Apply knowledge: The panelists emphasized applying what you learn by integrating tools like Snyk into projects and showcasing your skills through blog posts or GitHub contributions.

3. Where to start: Logical learning paths

Starting in DevSecOps can feel overwhelming, but breaking it down into structured steps makes it manageable. Here’s how to get started:

• Fundamentals first: Secure ground knowledge on understanding common vulnerabilities, coding principles, and OWASP Top 10. Online learning platforms like Snyk Learn, OWASP, Udemy, and Coursera offer beginner-friendly courses to help you build a solid foundation in security principles. Accessible books like Bob and Alice Learn Cybersecurity or Open Source Software Security Handbook – Best Practices for Securing Your Projects are also excellent starting points.

• DevOps basics: Familiarizing yourself with programming, networking, Kubernetes, and monitoring tools is an essential element of your learning journey. Understanding these fundamentals will help you see how security fits into the more significant development and operations picture.

• Hands-on platforms: After securing ground knowledge, your next logical move is moving on to practical experience. Use platforms like TryHackMe and Hack the Box to practice securing systems in simulated environments. For example, TryHackMe’s Snyk rooms, created by Sonya Moisset, one of our panelists, provide targeted training on identifying vulnerabilities.

4. Implementing DevSecOps in your organization

Transitioning to a DevSecOps culture requires a thoughtful approach. For teams and practitioners looking to implement DevSecOps, the key is to build the right culture, start small, and scale gradually while ensuring buy-in from all stakeholders:

• Build awareness and culture: Start by educating your team on the importance of security. If necessary, conduct introductory training sessions to ensure everyone understands foundational concepts. All panelists emphasized that creating a sustainable DevSecOps practice requires cultural change. There are various ways to make those cultural changes happen. Implementing Security Champion Programs is one of them, as it empowers representatives from engineering teams to advocate for security best practices. Gamified training is another, using interactive tools like threat modeling card games or capture-the-flag events to make learning fun and engaging. Lastly, ethical hacking sessions are a great way to introduce teams to the basics of ethical hacking and build foundational skills to think like an attacker.

• Start small: Begin with one tool and one team. For instance, implement a SCA tool like Snyk Open Source with a team that already values collaboration. Gather feedback and iterate.

• Developer involvement: Involve developers in choosing tools to ensure the solutions align with their workflows. Integrating tools that work within their preferred IDEs or CI/CD systems will boost adoption.

• Showcase success: Celebrate wins through lunch-and-learn sessions, demos, or internal case studies. Highlighting the positive impact of security measures can motivate other teams to follow suit.

• Tailor to your needs: Focus on tools and practices that align with your company’s tech stack and business goals. For example, a company heavily reliant on open source components might prioritize SCA tools.

• Foster collaboration: Create strong bonds between DevOps and security teams. Activities like team-building exercises can help build trust and cooperation.

5. The impact of AI in DevSecOps

AI (Artificial Intelligence) is a double-edged sword in DevSecOps. While it accelerates development, it also introduces new challenges:

• AI-generated code: AI-powered coding assistants can generate code quickly, but this speed comes with risks. Automated security checkpoints are essential to catch vulnerabilities before deployment.

• Expanded attack surface: The potential for supply chain attacks increases as AI integrates into code and tools composing our pipelines. Raising awareness about these risks is critical.

• Team education: Train teams on new threats, like OWASP top 10 for LLMs, and how AI and large language models (LLMs) work. This includes understanding prompt engineering, crafting secure prompts, and raising awareness of prompt hacking risks.

Following these steps and embracing a culture of collaboration and continuous learning, you can embark on a successful DevSecOps journey. Of course, there’s much more to say on this topic. If you’d like to learn more and ask questions to community experts, join the DevSecCon community.