This interview was cross-posted from the Veracode Community.
With his third consecutive championship in the Secure Coding Challenge – the monthly coding competition in the Veracode Community – Hans Dam is the first in the community to clinch the title of Secure Code Champion. We spoke with him about his experience in the coding competitions and his career growth from a software developer to a DevSecOps manager.
As DevSecOps manager currently working at Explorance, Hans manages the DevOps and AppSec teams and is responsible for managing internal application security scans, improving internal processes with automation, and developing tools for deployment and monitoring. His strong passion for DevOps and automation is at the core of his current role.
What makes Hans the first Secure Code Champion and how did he get application security under his belt? In this interview, Hans shares his takeaways from the Secure Coding Challenges and his advice for developers looking to break into the security world.
About your experience in the Secure Coding Challenge
What brought you to Veracode’s Secure Coding Challenge?
The company I work for, Explorance, was offered a demo of Veracode Security Labs, and I found the gamification aspect of Security Labs exciting. Unfortunately, during the demo, we did not set it up as a competition. Because of this, when Veracode announced a competition involving security best practices and programming, I was hooked.
What did you find most valuable in participating in the Challenge?
I really like the diversity of programming languages and frameworks used in Veracode Security Labs. I had not touched Go, Flask, or Scala code before I participated in the Secure Coding Challenges. Additionally, it’s always nice to brush up on the basics including OWASP TOP 10 vulnerabilities.
What’s your suggestion for participants to stand out in the competition?
Know that you don’t have to complete every step described in each Lab. For example, if you make a code change you don’t always have to run and test your solution. Many times, it is enough to simply save the file.
About your experience becoming a DevSecOps Engineer
How have you grown from a software developer into a DevSecOps engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills?
I started at Explorance as a software developer, developing new features for our main product. Based on my experience in previous companies, I saw some areas where we could improve the processes and increase automation. I started creating build scripts, developing internal tools, and playing around with the possibilities of continuous integration.
I was then offered to lead our maintenance team, whose main objective was to quickly diagnose and resolve customer issues, in unison with our customer support engineers and operations team. This gave me the perspective of different departments on the product features, reliability, debuggability, deployment, and documentation.
I got the opportunity to switch focus and started a role in application security within Explorance. We wanted to increase our focus on security by doing internal security scanning, increasing the application security awareness among developers, and reacting to emerging trends more rapidly.
Working with Veracode to identify and mitigate security issues in our products helped me open my eyes to best practices and the many ways things can go wrong when trying your best to rapidly meet customers' needs.
My latest role change at Explorance was to become a DevSecOps Manager, which means that I am managing our DevOps and AppSec teams.
Within Explorance, the transition from software developer to DevSecOps manager has been a product of me trying out a bunch of different things and the organization believing in me. The main skillsets would be tenacity and listening to your colleagues about how to improve every day.
What are the top 3 qualities of a successful DevSecOps engineer?
- Communication. As a DevSecOps engineer, you need to have constant dialogs with development, security, and operations within your organization. To have effective communication, you need to listen and learn from the people you talk to.
- Scripting/Integration. Scripting a prototype or closing a gap in processes with scripting is essential to getting things done. Further, integrating security or deployment tools in your continuous integration system is essential to automation, security, and consistency.
- Risk management techniques and threat modeling. Manage risk to know where to concentrate your attention. Analyzing internal and external threads and communicating the results with a model is essential for your organization to better design secure systems.
Is there any tool, resource, forum/meet-up, or course you’d recommend for developers looking to break into the security world?
I enjoy Troy Hunt and his projects and courses, which I have followed on both Pluralsight and his personal blog. Further, I keep up-to-date with the latest trends on HackerNews (https://news.ycombinator.com/) and reddit.com/r/netsec. Of course, nothing beats getting your hands dirty by scanning several applications with Veracode and mitigating the flaws.