12/05/2022 - 12/06/2022
10:00 AM - 06:00 PM
Online Virtual Class
USD $1,525.00
Enroll
01/23/2023 - 01/24/2023
10:00 AM - 06:00 PM
Online Virtual Class
USD $1,525.00
Enroll
03/06/2023 - 03/07/2023
10:00 AM - 06:00 PM
Online Virtual Class
USD $1,525.00
Enroll

Introduction

DevSecOps represents the evolution of the software development lifecycle, where development, security, and operations seamlessly intersect. It automates the integration of security at each phase of the IT lifecycle, and promotes a shared responsibility between teams. This two-day course covers the foundational concepts of DevSecOps, and why security has become critical to each phase of the software development lifecycle. 

Objectives

Upon completion of the class, participants will have the foundation to understand DevSecOps and be able to implement a process where products and services have a compliant source to Production pipeline.

Topics

Introduction to DevSecOps
A CI/CD Journey – Process, People, and Tools
Adding Security to the Ci/CD
Software Component Analysis
Static Analysis in CI/CD
Dynamic Analysis
Infrastructure Security with Infrastructure as Code
Compliance with Code

Audience

Developers, Delivery team, and Compliance Team (members), IT Managers and Security Professionals, Project and Product Managers, Testing and Quality Assurance Teams, Site Reliability Engineers, along with Maintenance and support staff who are interested in learning about and architecting DevSecOps strategies and automation.

Prerequisites

It is assumed that the participant has attended and completed DevOps Foundation training, or has been part of an organization that has implemented (at least) basic DevOps principles.  

Students must meet the following:

  • Basic Operations skills like file editing, file manipulation, process management, and other command line skills (for Linux primarily)
  • Basic Networking including ip addresses, firewall basics, and remote socket/port access.
  • Basic application deployment either manually or automated
  • Git repo management including merges and feature branch management
  • CI/CD familiarity plus experience with a build server like Jenkins, Bamboo, etc.
  • Experience with an “Infrastructure as Code” tool such as Terraform, Cloud formation, Trophosphere, etc.

Duration

Two Days

Outline for Introduction to DevSecOps Training

Chapter 1. What is DevSecOps 

What is DevSecOps?

DevSecOps as part of DevOps

Static Code Analysis

Dynamic Code Analysis

Secure Code Review

Defect Classifications

OWASP open web application security project

CWE common weakness enumeration

Chapter 2. DevOps and CI/CD Refresher

DevOps Basics

Principles of DevOps

DevOps Benefits

Continuous Integration

Continuous Deployment

Continuous Delivery

Typical CI/CD pipeline

Deployment strategies

Chapter 3. Tooling

Git 

Docker

Jenkins

Travis

OWASP ZAP/

Ansible

Inspec

 

 

Chapter 4. Secure SDLC 

What is Secure SDLC

Secure SDLC Activities and Security Gates

Requirements, Design, Implementation and Testing

Deployment and Maintenance

Embedding Security as part of CI/CD pipeline

DevSecOps and challenges with Pentesting and Vulnerability Assessment.

Chapter 5. DevSecOps Maturity Model (DSOMM)

Maturity levels and tasks involved

4-axes in DSOMM

Going from Maturity Level 1 to Maturity Level 4

Maturity level specific practices and challenges

Chapter 6. Software Component Analysis (SCA) 

What is Software Component Analysis.

SCA Solutions

Embedding SCA tools into the pipeline

 Chapter 7. SAST (Static Analysis Security Testing)

What is Static Application Security Testing.

Embedding SAST tools in the pipeline.

Preventing secrets exposure in the code.

Chapter 8. DAST (Dynamic Analysis Security Testing) 

What is Dynamic Application Security Testing?

Session management & AJAX Crawling

DAST tools 

SSL misconfiguration testing

Creating baseline scans for DAST.

Scan frequencies

Chapter 9. Infrastructure as Code (IaaC)

What is Infrastructure as Code? 

Benefits of Infrastructure as Code

Building Blocks

Configuration Management Systems

Ansible

Modules, tasks, roles and Playbooks

Chapter 10. Compliance as code

Handling Compliance Requirements

Using configuration management to achieve compliance.

Inspec / OpenScap

Chapter 11. Vulnerability Management

Managing vulnerabilities in the organization.

Defect Dojo