The first week in DevSecOps my world was turned upside down. Everything I thought I knew about security and performing in the workplace was completely shattered. By the end of the week I was changed, moved, and every bit of me was squeezed out. I had learned faster than I had ever learned in my entire life. After just one week most people would have simply quit. The change, the pace and the demand for security knowledge was unlike anything I had ever experienced. For some reason I could not wait to get back on Monday. I continued my journey into the weekend because I simply could not stop.
First thing I had to learn was to ask the right questions. I was dropped into a high performing team and was tasked with finding things to improve. This did not take long at all and I was able to take on a task that involved a subject I had never done before. Not to mention it involved multiple coding languages I had not worked with previously. The sinking feeling kicked in quickly and I was momentarily soloed in my own mind. Shortly after that I realized I was surrounded by extremely capable individuals and a by utilizing a short period of time with one such individual I was able to compete my task. I was able to check in some code in a language I had never done and cause an improvement to our current process all in my first week. I was was hooked on the momentum of the environment and looked to challenge myself further.
Why security as code you ask? By delivering security as code we are able to deliver awesome products that enable our customers to do things like have access to self service vulnerability scans, resources to help them make decisions, and automate processes for improved security. We are not just in the business of creating a list of security issues. We are in the business of fully cycle security. We perform security testing to discover vulnerabilities and misconfigurations, followed through with remediation coupled with the education to help our customers make smart decisions, and provided security as code to allow them to improve there own processes.
The idea of doing things simply in the name of security was chiseled away as I was forced to understand what I was solving for before I started doing something. Often times final outcomes require experimentation and team decision making to reach the final product. But the product itself is never final. All products must be improved upon until there dying day in which they would be replaced with newer technology and implementation decisions that were made by learning from past mistakes.
This is a blameless high performing team where no part of security is off limits except excuses. I realized that I was turning myself into the kind of security professional that would be sought after for years to come and was doing innovative work on a daily basis. Learning at a rapid pace is par for the course and constant improvement a must. I've realized that I cannot get this kind of experience anywhere else except somewhere that DevSecOps reigns supreme and it certainly did in my mind after this short period of time.
I now live DevSecOps on a daily basis…