Duration
One Day
Outline for Introduction to DevSecOps Training
Chapter 1. What is DevSecOps
• What is DevSecOps?
• DevSecOps as part of DevOps
• Static Code Analysis
• Dynamic Code Analysis
• Secure Code Review
• Defect Classifications
• OWASP open web application security project
• CWE common weakness enumeration
Chapter 2. DevOps and CI/CD Refresher
• DevOps Basics
• Principles of DevOps
• DevOps Benefits
• Continuous Integration
• Continuous Deployment
• Continuous Delivery
• Typical CI/CD pipeline
• Deployment strategies
Chapter 3. Tooling
• Git
• Docker
• Jenkins
• Travis
• OWASP ZAP/
• Ansible
• Inspec
Chapter 4. Secure SDLC
• What is Secure SDLC
• Secure SDLC Activities and Security Gates
• Requirements, Design, Implementation and Testing
• Deployment and Maintenance
• Embedding Security as part of CI/CD pipeline
• DevSecOps and challenges with Pentesting and Vulnerability Assessment.
Chapter 5. DevSecOps Maturity Model (DSOMM)
• Maturity levels and tasks involved
• 4-axes in DSOMM
• Going from Maturity Level 1 to Maturity Level 4
• Maturity level specific practices and challenges
Chapter 6. Software Component Analysis (SCA)
• What is Software Component Analysis.
• SCA Solutions
• Embedding SCA tools into the pipeline
Chapter 7. SAST (Static Analysis Security Testing)
• What is Static Application Security Testing.
• Embedding SAST tools in the pipeline.
• Preventing secrets exposure in the code.
Chapter 8. DAST (Dynamic Analysis Security Testing)
• What is Dynamic Application Security Testing?
• Session management & AJAX Crawling
• DAST tools
• SSL misconfiguration testing
• Creating baseline scans for DAST.
• Scan frequencies
Chapter 9. Infrastructure as Code (IaaC)
• What is Infrastructure as Code?
• Benefits of Infrastructure as Code
• Building Blocks
• Configuration Management Systems
• Ansible
• Modules, tasks, roles and Playbooks
Chapter 10. Compliance as code
• Handling Compliance Requirements
• Using configuration management to achieve compliance.
• Inspec / OpenScap
Chapter 11. Vulnerability Management
• Managing vulnerabilities in the organization.
• Defect Dojo