The rise of DevOps has given rise to a new type of developer, what I call the full spectrum engineer (FSE). In my previous blog post in this series, I looked at the evolution of software development from requiring specialists to developers who can do it all. So what does it take to thrive in a DevOps environment and succeed as a full spectrum engineer? Here are five things you need to do to make it as an FSE.

1. You must be a good software engineer. That means keeping up with the latest trends in design and implementation. You need to quickly assimilate new frameworks and open source libraries into your first-party code to build software quickly.

2. Test for quality and performance. Quality is not only about meeting functional requirements, but encompasses non-functional requirements as well. Well-written unit tests are just the beginning. An FSE must think about how to create automated regression tests that can be run in a staging environment to ensure that the entire system won’t be negatively impacted by their deployment. Furthermore, you must understand scale and performance of the system under load. Creating services that scale out and back based on demand will prevent a negative user experience.

3. Understand the complexities of deployment. Whether that be containers, cloud, or infrastructure as code, you need to know where and how the software runs and be able to create those environments from scratch. Using stable, version-controlled configurations for the running environment will ensure that Dev, QA, Staging, and Production all look and behave the same.

4. Take responsibility for operating your applications. As part of a DevOps team, you will be expected to take part in pager duty with the rest of the team. When writing new functionality, consider how to debug it remotely and whether your teammates will be able to do that same. That means logging and other telemetry are critical to the development plan. You have to do more than simply dump data. Turn that data into information that can be consumed by both people and machines. Can the software detect that it is not running properly? Can it heal itself? Can it call for help?

5. Focus on security throughout the development lifecycle. The fast pace of software development means that there is no longer time to wait for a security analysis when your release candidate is ready to deploy. Consider security concerns as part of the acceptance criteria and security scanning in your definition of done. You need tools that can provide quick feedback and diagnosis of security vulnerabilities while writing code. This preventative scanning will not only train you to write secure code – it will also allow the software to run successfully through the assurance scans that are part of any good CI/CD pipeline.

In my next blog post, I’ll offer my advice to development managers looking to hire top talent and train specialists to become FSE generalists. Read the first part of the blog series here: Get Ready for the Full Spectrum Engineer.

About Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers. Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs. Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. 

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.