One upside of a new technology trend taking flight: A glut of new opportunities to learn about said trend usually follows.
This often requires finding the more valuable signals amidst the noise, and that’s true with DevSecOps. There are increasingly abundant resources for learning more about DevSecOps culture and practices, enough so that it might seem tough to know where to begin.
That’s why we’re here for you and your team. Below, we share five overlapping ways to dig into DevSecOps and learn more about this modern approach to secure applications and infrastructure.
[ Want a shareable primer on DevSecOps and its benefits? See What is DevSecOps. ]
1. Curate a reading list
If you want to start learning, start reading. Yes, there are other methods: Learning by doing, learning by teaching, etc. – all good avenues. But reading has a low barrier to entry, especially if there’s a wealth of available resources online. (There is.)
Books, blogs, podcasts (read with your ears!), articles – there’s no shortage of DevSecOps-relevant material out there. Read widely at first and then focus as you see fit to your individual or organizational goals.
Here are some suggestions to get started:
Books
The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations: This sequel to the famed DevOps book, The Phoenix Project, with a greater emphasis on the role of security in DevOps pipelines and throughout an organization.
Site Reliability Engineering: DevSecOps and SRE aren’t one and the same, but they share a lot of DNA – including an emphasis on culture and automation. Bonus: You can read this influential work online for free.
Podcasts
The Secure Developer: “A podcast about security for developers, covering tools and best practices.”
Relating to DevSecOps: “A podcast dedicated to forging iron-clad relationships between developers, engineers, operations, and security practitioners by discussing hot topics in the world of DevSecOps.”
While you're at it, check out Compiler, a new podcast from Red Hat, "demystifying tech, one question at a time." For example, episode four tackles a question near and dear to security pros: Do we want a world without technical debt?
Articles and Whitepapers
How to explain DevSecOps in plain English: If you’re making the case for DevSecOps in your organization, it helps to be able to explain it. We’ve got your back with the latest in our explainer series.
DevSecOps pipelines and tools: What you need to know: Our sibling site, Opensource.com, breaks it down.
A layered approach to container and Kubernetes security: DevSecOps is well-suited to cloud and cloud-native development and environments. Increasingly, that means containers and orchestration. This whitepaper describes the multiple components or layers of securing containerized applications managed with Kubernetes.
[ Also read 5 DevSecOps myths, explained. ]
2. Attend a conference
The tech conference circuit was disrupted in 2020 like most other facets of professional and personal life, but that doesn’t mean it disappeared.
Rather, many conferences and events shifted to virtual formats. Some of them have started returning to in-person or hybrid formats, but continued concerns about safety mean you’ll likely be able to attend industry events remotely for the foreseeable future.
Security-focused conferences will all but inevitably feature more DevSecOps tracks and content going forward. Better yet, there are DevSecOps-focused events.
DevSecOps Days is a good example: Following on the model of the popular DevOps Days series, the DevSecOps version describes itself as “a global series of virtual conferences helping to educate, evolve, and explore concepts around developing security as code.” While the regular events are affiliated with different cities and local groups, the events are all currently available virtually.
DevSecCon is another example: It offers both U.S. and EU summits, as well a series of community events, a Slack channel, and other content.
On a related note, check out the security track at AnsibleFest, a virtual event on September 29-30, for insights on security and automation.
3. Join a DevSecOps meetup or group
IT career advice commonly mentions local and virtual meetups as a means of networking, but such groups can be equally if not more valuable for learning from peers and industry veterans.
There’s a burgeoning community of meetups and other groups with a DevSecOps focus or at least DevSecOps relevance. The next question: How do I find one? That’s easier than ever: Meetup.com boasts 132 different DevSecOps groups with nearly 29,000 members worldwide, from Austin, TX to Zurich, Switzerland – not to mention 79 other cities and 21 other countries.
(Meetings and events are still often virtual, too, so location might not necessarily matter – though check with a particular group for details.)
These range from general DevSecOps groups to vendor-specific user groups and other themes. The NoVa DevSecOps group based in McLean, VA, focuses on DevSecOps in the federal government, for example.
Industry working groups offer similar learning opportunities. The Cloud Security Alliance has a DevSecOps working group that meets regularly and also publishes research reports on DevSecOps fundamentals such as collective responsibility and automation.
4. Get involved with a relevant open source project
There’s a clear connection between DevSecOps culture and practices and the open source community, a relationship that Anchore technical marketing manager Will Kelly recently explored in an opensource.com article, “DevSecOps: An open source story.”
As you build your knowledge, getting involved in a DevSecOps-relevant project is another opportunity to expand and extend your experience. That could range from something as simple as joining a project’s community group or Slack to ask questions about a particular tool, to taking on a larger role as a contributor at some point.
The threat modeling tool OWASP Threat Dragon, for example, welcomes new contributors via its Github and website, including testers and coders.
Also check out Red Hat technology evangelist Gordon Haff’s advice on 5 DevSecOps open source tools to know: They are Clair, Sigstore, KubeLinter, Open Policy Agent and Gatekeeper, and Falco.
5. Explore DevSecOps certifications
The value of various technical certifications is a subject of ongoing – or at least on-again, off-again – debate in the InfoSec community. But IT certifications, in general, remain a solid complementary career development component.
Considering a DevSecOps-focused certification track is in itself a learning opportunity since any credential worth more than a passing glance should require some homework to attain.
Expect this to be an evolving space, and one worth comparing notes on with peers in terms of their experience or the anecdotal value of particular certifications. (If your current employer offers professional development funding or will otherwise foot the bill, all the better.) For now, know that there are DevSecOps-specific credentials, such as the Practical DevSecOps series of courses and certifications, including the Certified DevSecOps Professional (CDP). There are three other levels as well.
DevOps Institute also offers the DevSecOps Foundation (DSOF) certification.
[ How do containers and Kubernetes help manage risk? Read also: A layered approach to container and Kubernetes security. ]