DevSecOps Specialist

Selects/Deploys/Maintains the set of Continuous Integration/Continuous Deployment (CI/CD) tools and processes used by the development team and/or maintains the deployed software product and ensures observability and security across the lifecycle.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T2054 additional Assess the effectiveness of security controls.
• T412A additional Analyze the results of software, hardware, or interoperability testing.
• T420 additional Apply security policies to meet security objectives of the system.
• T421A additional Apply security architecture principles to meet organization’s confidentiality, integrity, and availability requirements.
• T452 additional Conduct functional and connectivity testing to ensure continuing operability.
• T5050 additional Assess all the configuration management (change configuration/release management) processes.
• T559B additional Analyze and report system security posture trends.
• T568 additional Employ secure configuration management processes.
• T571 additional Ensure all systems security operations and maintenance activities are properly documented and updated as necessary.
• T572 additional Ensure application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment.
• T576 additional Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
• T5939 additional Choose and deploy the appropriate automated application security testing tools.
• T5940 additional Work with designers and developers throughout the design, development and testing process.
• T5941 additional Utilize tools and techniques like risk assessment, threat modeling, and cybersecurity to detect and analyze the threats.
• T5942 additional Work with Security Engineers to ensure that all security threats are dealt with during the development phase.
• T5943 additional Work with Automation tools are used to identify the vulnerabilities.
• T5944 additional Identify and implement tooling for controlling the steps in a continuous integration (CI) and continuous deployment (CD) pipeline.
• T5945 additional Develop and implement automatic test tools in a CI/CD pipeline, which could include Static Application Security Test (SAST) tools, Dynamic Application Security Test (DAST) tools, Unit Test tools, Static Code Analysis (SCA) tools, etc.
• T5946 additional Develop code within a CI/CD Pipeline.
• T5947 additional Select appropriate language and coding standards for software application for appropriate Continuous Integration/Continuous Deployment (CI/CD) framework.
• T5948 additional Apply testing activities, understands fault vs. failures, conduct basic test planning, develop test selection or adequacy criteria, crafts test documentation, ensures test coverages, and conducts automated testing.
• T5949 additional Transition embedded and non-embedded software developed and sustained using traditional software methods into a DevSecOps environment.
• T5950 additional Develop and deploy software using continuous integration methods, processes, and tools, including test case writing against completion criteria (for each release, capability, micro-service, or component), build automation, and build processes.
• T5951 additional Select and implement telemetry within the CI/CD pipeline and Ops software to support metrics and problem discovery and resolution.
• T5953 additional Provide DevSecOps guidance to leadership.
• T5954 additional Build test interfaces and perform complex integration.
• T5955 additional Work closely with development teams to provide and support the environment needed to deliver an organizations services.
• T653B additional Implement security measures to mitigate or remediate vulnerabilities and security deficiencies, and provide justification for acceptance of residual risk.
• T661A additional Implement system security measures in accordance with established procedures to ensure confidentiality, integrity, availability, authentication, and non-repudiation.
• T708A additional Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative.
• T717A additional Assess and monitor cybersecurity related to system implementation and testing practices.
• T726 additional Oversee and make recommendations regarding configuration management.
• T729A additional Verify minimum security requirements are in place for all applications.
• T754 additional Perform cybersecurity testing of developed applications and/or systems.
• T765 additional Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
• T795 additional Properly document all systems security implementation, operations and maintenance activities and update as necessary.
• T806A additional Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
• T809 additional Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
• T876 additional Verify and update security documentation reflecting the application/system security design features.
• T880A additional Work with stakeholders to resolve computer security incidents and vulnerability compliance.
• T938A additional Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A3030 ability core Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
• A4 ability core Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
• A6090 ability core Ability to develop curriculum for use within a virtual environment.
• K0034 knowledge core Knowledge of database systems.
• K0058 knowledge core Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• K0130 knowledge core Knowledge of virtualization technologies and virtual machine development and maintenance.
• K0144 knowledge core Knowledge of the systems engineering process.
• K1037A knowledge core Knowledge of information technology (IT) risk management policies, requirements, and procedures.
• K130A knowledge core Knowledge of systems security testing and evaluation methods.
• K142A knowledge core Knowledge of the operations and processes for incident, problem, and event management.
• K7087 knowledge core Knowledge of programming languages.
• K7088 knowledge core Knowledge of continuous integration/continuous deployment (CI/CD) processes and pipeline tools.
• K7089 knowledge core Knowledge of portable, extensible, open source platform for managing containerized workloads and services.
• K7090 knowledge core Knowledge of cloud hosting providers.
• K7091 knowledge core Knowledge of threat modeling, risk assessment techniques, code reviews, current best practices and the latest cybersecurity threats.
• K7092 knowledge core Knowledge of how security impacts each development phase and the services.
• K7093 knowledge core Knowledge of a Continuous Integration/Continuous Deployment (CI/CD) environment and processes.
• K7094 knowledge core Knowledge of the steps for release to higher levels of integration testing, certification activities, and/or operations using testbeds, modeling and simulation to synchronize software releases with the development of an operations environment(s) to ensure compatibility.
• K7095 knowledge core Knowledge of every stage in the software project lifecycle, from initial design and build to rollout and maintenance.
• S190 skill core Skill in developing operations-based testing scenarios.
• S238A skill core Skill in writing code in a currently supported programming language (e.g., Java, C++).
• S3822 skill core Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
• S3B skill core Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
• S3C skill core Skill in recognizing vulnerabilities in information and/or data systems.
• K0021 knowledge additional Knowledge of computer algorithms.
• K0094 knowledge additional Knowledge of parallel and distributed computing concepts.
• K025B knowledge additional Knowledge of encryption algorithms.
• K027A knowledge additional Knowledge of cryptology.
• K075B knowledge additional Knowledge of statistics.
• K1040A knowledge additional Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.
• K1139A knowledge additional Knowledge of implementing enterprise key escrow systems to support data-at-rest encryption.
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K3642 knowledge additional Knowledge of various types of computer architectures.
• K6240 knowledge additional Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE).
• S220 skill additional Skill in systems integration testing.
• S225A skill additional Skill in the use of penetration testing tools and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).

EWU courses that develop this role

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-A-Q45 primary command-substitution Print "Backup taken on <today>" using $(date +%Y-%m-%d) as the date.
• CSCD240-E1-B-Q41 primary command-subst Print "Backup taken on <today>" using $(date +%F).
• CSCD240-E1-C-Q06 primary cmd-subst Recommended modern syntax for command substitution?

Other roles in this element