I'm part of the AppSec team, and I'm often running into issues with one of our DevOps engineers who seems to lack essential skills. Recently, we needed him to integrate Veracode SAST scans with our Azure DevOps repositories, but he didn't know how to get started—we had to walk him through each step.
We recently flagged some issues after scanning a branch, where the developer argued that the scan was for 'dev code' and not 'SIT code.' When I questioned why dev code was even in the SIT branch, we discovered they mix dev, SIT, load test, and even production code all in the same repository and branches. It appears the branching strategy is either nonexistent or mismanaged.
This kind of chaos is making it really tough to maintain clean environments or conduct effective scans. I'm wondering if it's reasonable to expect a DevOps engineer to:
• Set up basic SAST integrations in Azure DevOps?
• Maintain an organized branching strategy?
• Understand the risks of mixing environments within the same branch?
I want to check if my expectations are unfair or if this represents a real skills gap. I'd love to know how others deal with similar situations or what basic skills you think a DevOps engineer should possess.
5 Answers
Just to chime in, your experience is super common. I’m all for collaboration but it sounds like you're in a bit of a mess with the current branching structure. Maybe it’s time for a team discussion on establishing some clean practices that everyone can follow.
I think expecting a DevOps engineer to handle basic SAST integrations and maintain a clear branching strategy is reasonable. Mixing environments in a single branch complicates matters significantly. Have you considered if there's a company-wide policy for repo management? It might help to see if the issue is recurring for others too.
Honestly, it's a bit ridiculous to expect someone to know every tool out there. From what you describe, it sounds like more of an organizational issue than a skills gap. Maybe find out if they’ve received proper training on the tools you want them to use.
With over 20 years in IT, I've never worked with some specific tools like Veracode. So expecting an engineer to know certain integrations can be unreasonable. There are many ways to set up DevOps, and it sounds like you might be too focused on one approach. Maybe looking into how the branching strategy suits your projects could be beneficial.
A good point to consider: If you feel there are gaps in his skills, suggest specific training or resources to his manager rather than just saying he lacks skills. It’s all about building a supportive environment.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically