Course Catalog  > DevOps and CI/CD  > DevOps
WA3137

Introduction to DevSecOps Training

This DevSec Ops (Development Security Operations) course teaches attendees the basics of DevSecOps and explains why security has become critical to each phase of the software development lifecycle.

Request Information
Request On-Site or Customized Course Info

DevSecOps is the evolution of the software development lifecycle, where development, security, and operations seamlessly intersect. This course teaches students how to automate security at each phase of the IT lifecycle and promote a shared responsibility between teams.

Course Details

Duration

2 days

Prerequisites

  • Basic Operations skills like file editing, file manipulation, process management, and other command line skills (for Linux primarily)
  • Basic Networking including ip addresses, firewall basics, and remote socket/port access.
  • Basic application deployment either manually or automated
  • Git repo management including merges and feature branch management
  • CI/CD familiarity plus experience with a build server like Jenkins, Bamboo, etc.
  • Experience with an "Infrastructure as Code" tool such as Terraform, Cloud formation, Trophosphere, etc.

Target Audience

  • Developers
  • Delivery and Compliance Teams (members)
  • IT Managers and Security Professionals
  • Project and Product Managers
  • Testing and Quality Assurance Teams
  • Site Reliability Engineers
  • Maintenance and support staff who are interested in learning about and architecting DevSecOps strategies and automation

Skills Gained

  • Understand DevSecOps
  • Be able to implement a process where products and services have a compliant source to Production pipeline
Course Outline
  • What is DevSecOps 
    • What is DevSecOps?
    • DevSecOps as part of DevOps
    • Static Code Analysis
    • Dynamic Code Analysis
    • Secure Code Review
    • Defect Classifications
    • OWASP open web application security project
    • CWE common weakness enumeration
  • DevOps and CI/CD Refresher
    • DevOps Basics
    • Principles of DevOps
    • DevOps Benefits
    • Continuous Integration
    • Continuous Deployment
    • Continuous Delivery
    • Typical CI/CD pipeline
    • Deployment strategies
  • Tooling
    • Git 
    • Docker
    • Jenkins
    • Travis
    • OWASP ZAP/
    • Ansible
    • Inspec
  • Secure SDLC 
    • What is Secure SDLC
    • Secure SDLC Activities and Security Gates
    • Requirements, Design, Implementation and Testing
    • Deployment and Maintenance
    • Embedding Security as part of CI/CD pipeline
    • DevSecOps and challenges with Pentesting and Vulnerability Assessment.
  • DevSecOps Maturity Model (DSOMM)
    • Maturity levels and tasks involved
    • 4-axes in DSOMM
    • Going from Maturity Level 1 to Maturity Level 4
    • Maturity level specific practices and challenges
  • Software Component Analysis (SCA) 
    • What is Software Component Analysis.
    • SCA Solutions
    • Embedding SCA tools into the pipeline
  • SAST (Static Analysis Security Testing)
    • What is Static Application Security Testing.
    • Embedding SAST tools in the pipeline.
    • Preventing secrets exposure in the code.
  • DAST (Dynamic Analysis Security Testing) 
    • What is Dynamic Application Security Testing?
    • Session management & AJAX Crawling
    • DAST tools 
    • SSL misconfiguration testing
    • Creating baseline scans for DAST
    • Scan frequencies
  • Infrastructure as Code (IaaC)
    • What is Infrastructure as Code? 
    • Benefits of Infrastructure as Code
    • Building Blocks
    • Configuration Management Systems
    • Ansible
    • Modules, tasks, roles and Playbooks
  • Compliance as code
    • Handling Compliance Requirements
    • Using configuration management to achieve compliance.
    • Inspec / OpenScap
  • Vulnerability Management
    • Managing vulnerabilities in the organization.
    • Defect Dojo