Training Programs>Security & Cyber Forensics

WA3137

Introduction to DevSecOps Training

DevSecOps (Development, Security, and Operations) is an approach to culture (change), automation, and platform design that integrates security as a shared responsibility throughout the entire Software Development Life Cycle (SDLC). This course is designed for clients who need to prioritize security and compliance into a CI/CD DevOps workflow.

Enroll Introduction Course Outline

12/05/2022 - 12/06/2022

10:00 AM - 06:00 PM

Online Virtual Class

USD $1,525.00

Enroll

01/23/2023 - 01/24/2023

10:00 AM - 06:00 PM

Online Virtual Class

USD $1,525.00

Enroll

03/06/2023 - 03/07/2023

10:00 AM - 06:00 PM

Online Virtual Class

USD $1,525.00

Enroll

Introduction

DevSecOps represents the evolution of the software development lifecycle, where development, security, and operations seamlessly intersect. It automates the integration of security at each phase of the IT lifecycle, and promotes a shared responsibility between teams. This two-day course covers the foundational concepts of DevSecOps, and why security has become critical to each phase of the software development lifecycle.

Objectives

Upon completion of the class, participants will have the foundation to understand DevSecOps and be able to implement a process where products and services have a compliant source to Production pipeline.

Topics

• Introduction to DevSecOps
• A CI/CD Journey – Process, People, and Tools
• Adding Security to the Ci/CD
• Software Component Analysis
• Static Analysis in CI/CD
• Dynamic Analysis
• Infrastructure Security with Infrastructure as Code
• Compliance with Code

Audience

Developers, Delivery team, and Compliance Team (members), IT Managers and Security Professionals, Project and Product Managers, Testing and Quality Assurance Teams, Site Reliability Engineers, along with Maintenance and support staff who are interested in learning about and architecting DevSecOps strategies and automation.

Prerequisites

It is assumed that the participant has attended and completed DevOps Foundation training, or has been part of an organization that has implemented (at least) basic DevOps principles.

Students must meet the following:

Basic Operations skills like file editing, file manipulation, process management, and other command line skills (for Linux primarily)
Basic Networking including ip addresses, firewall basics, and remote socket/port access.
Basic application deployment either manually or automated
Git repo management including merges and feature branch management
CI/CD familiarity plus experience with a build server like Jenkins, Bamboo, etc.
Experience with an “Infrastructure as Code” tool such as Terraform, Cloud formation, Trophosphere, etc.

Duration

Two Days

Outline for Introduction to DevSecOps Training

Chapter 1. What is DevSecOps

• What is DevSecOps?

• DevSecOps as part of DevOps

• Static Code Analysis

• Dynamic Code Analysis

• Secure Code Review

• Defect Classifications

• OWASP open web application security project

• CWE common weakness enumeration

Chapter 2. DevOps and CI/CD Refresher

• DevOps Basics

• Principles of DevOps

• DevOps Benefits

• Continuous Integration

• Continuous Deployment

• Continuous Delivery

• Typical CI/CD pipeline

• Deployment strategies

Chapter 3. Tooling

• Git

• Docker

• Jenkins

• Travis

• OWASP ZAP/

• Ansible

• Inspec

Chapter 4. Secure SDLC

• What is Secure SDLC

• Secure SDLC Activities and Security Gates

• Requirements, Design, Implementation and Testing

• Deployment and Maintenance

• Embedding Security as part of CI/CD pipeline

• DevSecOps and challenges with Pentesting and Vulnerability Assessment.

Chapter 5. DevSecOps Maturity Model (DSOMM)

• Maturity levels and tasks involved

• 4-axes in DSOMM

• Going from Maturity Level 1 to Maturity Level 4

• Maturity level specific practices and challenges

Chapter 6. Software Component Analysis (SCA)

• What is Software Component Analysis.

• SCA Solutions

• Embedding SCA tools into the pipeline

Chapter 7. SAST (Static Analysis Security Testing)

• What is Static Application Security Testing.

• Embedding SAST tools in the pipeline.

• Preventing secrets exposure in the code.

Chapter 8. DAST (Dynamic Analysis Security Testing)

• What is Dynamic Application Security Testing?

• Session management & AJAX Crawling

• DAST tools

• SSL misconfiguration testing

• Creating baseline scans for DAST.

• Scan frequencies

Chapter 9. Infrastructure as Code (IaaC)

• What is Infrastructure as Code?

• Benefits of Infrastructure as Code

• Building Blocks

• Configuration Management Systems

• Ansible

• Modules, tasks, roles and Playbooks

Chapter 10. Compliance as code

• Handling Compliance Requirements

• Using configuration management to achieve compliance.

• Inspec / OpenScap

Chapter 11. Vulnerability Management

• Managing vulnerabilities in the organization.

• Defect Dojo