Industry Expert Interview

 Industry Expert Interview: Exploring DevSecOps in the Defense Sector

Introduction

For this assignment, I interviewed Roberto Solis, who is currently Department Head and Professor of Computer Science at Citrus College. Prior to joining academia, Mr. Solis spent 15 years at Northrop Grumman leading DevSecOps initiatives for classified defense projects. I chose Mr. Solis because I aim to become a DevSecOps engineer in the defense sector; his path—from architecting secure pipelines at Northrop Grumman to teaching software engineering at Citrus College—mirrors the bridge between theory and practice that I hope to build in my own career.

We spoke via Zoom for twenty-five minutes on June 1, 2025. Mr. Solis responded to follow-up inquiries via email and gave permission to record for note accuracy. His experience with DevSecOps at a Tier 1 defense contractor, a Master's degree in computer science, and current leadership in academia have given him a thorough understanding of the organizational and technological difficulties in defense software.

Summary of Key Takeaway

Career Path and Transition

After earning his Master's degree, Mr. Solis started working as a software developer at a federal research facility, where he concentrated on secure communication protocols. After that, he became a senior software architect at Northrop Grumman, where he developed and expanded DevSecOps pipelines for projects involving classified workloads and Controlled Unclassified Information (CUI) for more than ten years. He believed his practical expertise could better educate students for industry, therefore he accepted an offer to lead Citrus College's Computer Science department in 2020. He underlined that managing DevSecOps at Northrop necessitated ongoing adjustment to new DoD compliance frameworks, such as CMMC, NIST SP 800-53, and the DoD's Risk Management Framework (RMF), and that switching to teaching enabled him to condense those developing procedures into labs and courses.


Technical Challenges in Defense DevSecOps

Mr. Solis emphasized that "shifting left" in defense meant battling with multi-level security architectures and classified enclaves, not just adding security scans. He explained how Northrop's teams created hybrid pipelines, where lower-risk modules could be deployed to AWS GovCloud while high-security components' initial builds and static analysis took place inside an on-premise, air-gapped enclave. DoD guidelines changed often, making it difficult to automate these pipelines while keeping an Authority to Operate (ATO). Additionally, he emphasized how hard it was to scan programs that used export-controlled cryptographic libraries because normal scanners frequently identified them as insecure. As a result, his team created unique heuristics to differentiate between legitimate algorithms and real security flaws.


Valuable Skills and Attributes


When asked what sets successful DevSecOps engineers in defense apart, Mr. Solis emphasized:


Deep Technical Foundations: A solid grasp of networking, operating systems, and cryptography is essential. He encourages reviewing discrete math and computer architecture, since these fundamentals underpin secure design decisions.


Rapid Adaptability to Compliance: In defense, regulations—CMMC levels, FedRAMP controls, RMF steps—shift regularly. Being able to digest a new DoD security memo one week and implement policy-as-code changes the next is more important than mastery of any single security tool.


Clear Communication: DevSecOps engineers liaise between developers, security teams, program managers, and auditors. Mr. Solis noted that writing a concise Risk Assessment report or explaining a compliance gap to a government stakeholder can be more critical than fixing a code vulnerability.


Advice for Aspiring DevSecOps Engineers

Mr. Solis’s key recommendation was: Integrate security practices into every academic project, from day one. He suggested I start by containerizing a small FastAPI microservice and adding Bandit (Python static analysis) and Trivy (container scanner) to a GitHub Actions workflow. He also recommended pursuing AWS Certified Security – Specialty and CISSP to complement my AWS Developer and Docker certifications. Finally, he urged me to attend industry events like DevSecOps Days and local DoD-sponsored workshops to network with practitioners who can share informal “lessons learned” about navigating ATO processes and maintaining CI/CD in disconnected or classified environments.

Reflection

Talking with Mr. Solis broadened my understanding of what it truly means to be a DevSecOps engineer in defense. I had assumed—incorrectly—that adding a few security scans to a cloud pipeline sufficed. In reality, I now see that defense pipelines must straddle on-prem enclaves and GovCloud, address multi-level security controls, and continuously adapt to new DoD policies. Mr. Solis’s journey—from securing unmanned-vehicle protocols to teaching container security at Citrus—showed me how practical DevSecOps skills can be codified into curriculum to better prepare students for these complexities.

His anecdotes about spending two months refactoring a CI/CD pipeline to comply with a new DoD encryption mandate underscored that, in defense, “build once and forget” is impossible. Pipelines need monitoring not only for vulnerabilities but for compliance drift. This insight has shifted my approach: rather than focusing solely on feature delivery, I’ll design my pipelines to include automated policy-as-code checks and continuous compliance validation.

Furthermore, Mr. Solis’s emphasis on communication exposed a gap in my own skill set. While I feel confident troubleshooting a misconfigured Kubernetes cluster, I’ve never written a formal Risk Assessment letter. After his advice, I realize I need to practice distilling technical details into clear, non-technical summaries—whether through blog posts or explaining a threat model in under five minutes to a non-technical friend.

Future Steps

Based on Mr. Solis’s guidance, I plan to enhance my portfolio and pursue additional certifications over the next few months. First, I will extend my existing FastAPI microservice to include OPA policy checks in its Terraform-based deployment pipeline so that any plan not enforcing FIPS-compliant encryption automatically fails. Simultaneously, I’ll prepare for the AWS Certified Security – Specialty exam by November 2025 and aim for CISSP by mid-2026, building on my AWS Developer-Associate and Docker Certified Associate credentials. To gain hands-on compliance experience, I’ll simulate an ATO process in a sandbox AWS account: documenting data flow diagrams, mapping controls to NIST SP 800-53, running penetration tests, and generating the artifacts a DoD auditor would expect. I also plan to set up a hybrid pipeline by creating a local Kubernetes cluster (using kind or k3s) alongside an AWS GovCloud sandbox, then implementing a CI/CD workflow that scans code in the local enclave and deploys approved containers to GovCloud. For networking and mentorship, I will register for the October 2025 virtual DevSecOps Days West Coast to connect with defense-industry practitioners who can advise me on evolving RMF requirements, and I’ll send quarterly updates to Mr. Solis—detailing how I’ve integrated OPA checks or completed AWS Security labs—so he can continue offering feedback and possibly introduce me to contacts at Northrop Grumman or other defense firms. Finally, to polish my communication skills, I will publish a short blog post each time I complete a security-related project (for example, setting up a Firecracker-based microVM demo) that outlines the problem, my approach, and the key lessons in plain language, and I’ll organize monthly “DevSecOps Roundtables” with classmates to review each other’s pipelines and take turns delivering five-minute threat-model presentations, strengthening my ability to communicate complex concepts.

Comments

Post a Comment

Popular posts from this blog

Week 2 Learning Journal 5 Parts

  Part 1: Review and Reflect Learning Strategy Top 3 Strengths: Active Listening: I excel at fully concentrating, understanding, and responding thoughtfully during discussions, which enhances my learning and collaboration. Goal Setting: I consistently set clear, achievable goals, which helps me stay focused and motivated throughout my academic journey. Time Management: I effectively allocate my time to balance academic responsibilities, extracurricular activities, and personal commitments. Top 3 Areas for Improvement: Note-Taking Skills: I aim to develop more structured and efficient note-taking methods to better retain and review information. Critical Thinking: I seek to enhance my ability to analyze and evaluate information critically to strengthen my problem-solving skills. Public Speaking: I plan to build confidence and clarity in presenting ideas to groups, which is essential for academic and professional success. Part 2: Preview Time Management Sk...
Read more

Week 4 Journal

 Part One: Set Your Educational Goals My main academic objective at CSU Monterey Bay is to graduate with two full-stack apps designed and delivered, one individually and one jointly. These applications should have continuous deployment pipelines, automated testing suites, and version control. My goal is to obtain two industry-recognized certifications concurrently with my degree program: the CompTIA Security+ certification by December and the AWS Certified Cloud Practitioner by August. In addition to enrolling in a Security+ bootcamp and completing at least 85 percent of the practice tests and AWS modules every two weeks, I'll be keeping a strict timetable to track my progress. I will know I have accomplished this goal when I can confidently demonstrate an application that implements best-practice security measures and allocates cloud resources on AWS without consulting my notes. Part Two: Extended Career Goals To get practical experience and expand my professional network, I w...
Read more

BOOK REPORT EXTRA CREDIT

Book Report: The 21 Irrefutable Laws of Leadership: Follow Them and People Will Follow You by John C. Maxwell John C. Maxwell’s The 21 Irrefutable Laws of Leadership presents a comprehensive framework for understanding and practicing leadership across contexts—from small student organizations to large tech corporations. First published in 1998 and reissued in 2007, Maxwell’s text distills decades of research and experience into 21 guiding “laws” that promise to equip emerging leaders with the insights and habits necessary to inspire trust, drive change, and cultivate followership. As a senior in computer science preparing to transition into industry roles—where technical expertise must be matched by soft skills—Maxwell’s principles offer a structured roadmap for leading teams, managing projects, and influencing stakeholders. Structure and Organization Maxwell organizes the book into 21 chapters, each dedicated to one “law.” Every chapter follows a consistent pattern: Law Statement : ...
Read more