DevSecOps represents the evolution of the software development lifecycle, where development, security, and operations seamlessly intersect. It automates the integration of security at each phase of the IT lifecycle, and promotes a shared responsibility between teams. This two-day course covers the foundational concepts of DevSecOps, and why security has become critical to each phase of the software development lifecycle.
Upon completion of the class, participants will have the foundation to understand DevSecOps and be able to implement a process where products and services have a compliant source to Production pipeline.
• Introduction to DevSecOps
• A CI/CD Journey – Process, People, and Tools
• Adding Security to the Ci/CD
• Software Component Analysis
• Static Analysis in CI/CD
• Dynamic Analysis
• Infrastructure Security with Infrastructure as Code
• Compliance with Code
Developers, Delivery team, and Compliance Team (members), IT Managers and Security Professionals, Project and Product Managers, Testing and Quality Assurance Teams, Site Reliability Engineers, along with Maintenance and support staff who are interested in learning about and architecting DevSecOps strategies and automation.
It is assumed that the participant has attended and completed DevOps Foundation training, or has been part of an organization that has implemented (at least) basic DevOps principles.
Students must meet the following:
- Basic Operations skills like file editing, file manipulation, process management, and other command line skills (for Linux primarily)
- Basic Networking including ip addresses, firewall basics, and remote socket/port access.
- Basic application deployment either manually or automated
- Git repo management including merges and feature branch management
- CI/CD familiarity plus experience with a build server like Jenkins, Bamboo, etc.
- Experience with an “Infrastructure as Code” tool such as Terraform, Cloud formation, Trophosphere, etc.
Outline for Introduction to DevSecOps Training
Chapter 1. What is DevSecOps
• What is DevSecOps?
• DevSecOps as part of DevOps
• Static Code Analysis
• Dynamic Code Analysis
• Secure Code Review
• Defect Classifications
• OWASP open web application security project
• CWE common weakness enumeration
Chapter 2. DevOps and CI/CD Refresher
• DevOps Basics
• Principles of DevOps
• DevOps Benefits
• Continuous Integration
• Continuous Deployment
• Continuous Delivery
• Typical CI/CD pipeline
• Deployment strategies
Chapter 3. Tooling
• OWASP ZAP/
Chapter 4. Secure SDLC
• What is Secure SDLC
• Secure SDLC Activities and Security Gates
• Requirements, Design, Implementation and Testing
• Deployment and Maintenance
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges with Pentesting and Vulnerability Assessment.
Chapter 5. DevSecOps Maturity Model (DSOMM)
• Maturity levels and tasks involved
• 4-axes in DSOMM
• Going from Maturity Level 1 to Maturity Level 4
• Maturity level specific practices and challenges
Chapter 6. Software Component Analysis (SCA)
• What is Software Component Analysis.
• SCA Solutions
• Embedding SCA tools into the pipeline
Chapter 7. SAST (Static Analysis Security Testing)
• What is Static Application Security Testing.
• Embedding SAST tools in the pipeline.
• Preventing secrets exposure in the code.
Chapter 8. DAST (Dynamic Analysis Security Testing)
• What is Dynamic Application Security Testing?
• Session management & AJAX Crawling
• DAST tools
• SSL misconfiguration testing
• Creating baseline scans for DAST.
• Scan frequencies
Chapter 9. Infrastructure as Code (IaaC)
• What is Infrastructure as Code?
• Benefits of Infrastructure as Code
• Building Blocks
• Configuration Management Systems
• Modules, tasks, roles and Playbooks
Chapter 10. Compliance as code
• Handling Compliance Requirements
• Using configuration management to achieve compliance.
• Inspec / OpenScap
Chapter 11. Vulnerability Management
• Managing vulnerabilities in the organization.
• Defect Dojo