Over the past year, I’ve done more than 20 free virtual presentations on DevOps at the request of universities around the world. Recently, a few educators have asked me for another offering: A presentation on DevSecOps.
DevSecOps is the inclusion of security as an integral part of traditional DevOps development, a strategy known as shifting left. With DevSecOps, myriad security scans, including dynamic application security testing and static application security testing, and other security tasks are performed during the development process rather than waiting until later in the cycle. DevSecOps enables organizations to identify and mitigate vulnerabilities early to ensure safer software and avoid delivery delays.
As DevOps teams across industries evolve into DevSecOps teams, higher education should respond in kind to ensure students likely to enter tech careers have the skills necessary to be competitive. In GitLab’s 2022 Global DevSecOps survey, 53% of respondents said security is everyone’s responsibility. Yet, many college computer science programs don’t include security-related courses in their core requirements.
Every company that develops software – even for internal use only - must be proficient in security to protect their applications. Here is what educators and students need to know about melding security into their DevOps curricula to prepare their students for the world of DevSecOps.
How educators can teach DevSecOps
"Security education is not about finding specific issues, but about teaching the right mindset," said Gábor Pék, co-founder of security education company Avatao, in TechBeacon.
There are a variety of tools and techniques for security, but students don’t need to know all of them; it’s more important – and more valuable – to focus on the principles of security. Also, as an educator, you can use a single platform to streamline teaching students about how to write secure code.
With a DevSecOps platform like GitLab, students can explore how to protect the software development lifecycle using built-in security tools. GitLab’s docs on securing your application are a great place to start learning about how GitLab approaches DevSecOps and will give students the base knowledge and skills to build upon as they continue to learn in their careers.
Resources for Educators
- An Open Source Security Foundation course on writing Secure Programming that you can use to supplement your own courses
- Best Practices for Secure Development
- Understanding security vulnerabilities in student code: A case study in a non-security course
- Bring the DevSecOps platform into your classroom with GitLab for Education’s free license
How students can learn DevSecOps
If a university isn’t offering direct instruction on security, students can still acquire the skills they need to succeed at a career in DevSecOps. Just knowing the term DevSecOps and understanding how it is changing software development can put a student ahead of the curve. Here are some more options for learning:
Participate in a security-focused open source project
Participating in security-focused open source projects is another excellent way to broaden your understanding of the role security plays in modern application development. Many security-focused open source projects call GitLab home, and just by using them, you become part of the communities developing and improving them.
You might consider tinkering with a single application – like popular disk encryption mainstay cryptsetup – or dive deeper into open source security by downloading, installing, and experimenting with Kali Linux, a Linux distribution built for security-minded engineers.
No matter what you choose, be sure to investigate how those communities incorporate security concerns and best practices into their programming. You could even start the conversation by creating an issue in their projects.
Find security-driven organizations
Look into organizations like OpenSSF. OpenSSF seeks to inform and educate developers everywhere about the importance of secure software in the open source world. It’s an important enough consideration that OpenSSF is designated as a Linux foundation project. OpenSSF has several ways to not only learn, but get directly involved in projects that will sharpen skills and create networking opportunities outside of your classroom.
Start a security-focused campus group
Many campuses have security-focused groups, and you don’t have to be a cybersecurity student to join. Odalis Estrada from Cal Polytechnic Pomona is a member of Forensics and Security Technology, a.k.a. FAST, a student chapter of the High Technology Crime Investigation Association. Estrada says that her club is a mix of computer science students and cybersecurity students. She says, “There are attacks and vulnerabilities evolving constantly…” and that the club has helped its members “understand old and new attacks.”
If there isn’t a security-focused campus group, consider starting one to explore the importance of security in computer science. It’s a great way to learn more about modern secure software development.
Learning about security doesn’t just benefit developers. “If developers write more secure code, then security teams will have more time to concentrate on other issues,” Estrada said, adding this creates safer software development.
Resources for Students
- Free Coursera on Secure Software
- National Cybersecurity Student Group
- FAST student group at Cal Poly Pomona
- It’s for kids, but did you know all of this already? Always good to check back in on the basics
Cover image by Towfiqu barbhuiya on Unsplash
“Educators and students need to ensure security is an integral part of DevOps coursework.” – Pj Metz
Click to tweet