Length: 3 Days
Print Friendly, PDF & Email

DevSecOps Training Bootcamp

The objective of DevSecOps (development, security and operations) is to make everyone accountable for security with the focus on implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.

Some would argue it’s not just about development, security and operations. It’s about a mindset that is so important, it led to the term “DevSecOps” to emphasize the need to build a security foundation into DevOps initiatives.

DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down.

Implementing DevSecOps can be an elaborate process for an organization, but well worth it when considering the benefits. Implementation normally includes the following stages:

  • Planning and development
  • Building and testing
  • Deployment and operation
  • Monitoring and scaling

Besides increasing sales, the most obvious benefit of DevSecOps is the improvement of security. Vulnerabilities can be identified at a very early stage in your pipeline, making it exponentially easier to fix it. And since continuous monitoring is in place, it enhances threat-hunting capabilities. Business-wise, the more secure a product, the easier it is to sell.

Discovering vulnerabilities in the beginning stages of SDLC has tremendous impact on overall security as well as the costs to fix issues. Also, multiple teams coming together to work on security improves accountability. Such collaboration also facilitates coming up with quick and effective security response strategies and more robust security design patterns. DevSecOps also reduces the frequency of security bottlenecks. Security checks can be run without waiting for the development cycle to finish.

Another important benefit: DevSecOps provides managers with a holistic overview of such measures, thus providing a better framework for easier compliance with regulation such as the General Data Protection Regulation (GDPR).

A DevSecOps program requires continuous improvement to achieve desired efficiency. Sound principles to follow for a DevSecOps implementation, include:

  • Enforcing tight access security for API endpoints.
  • Automated tests for security capabilities wired into the acceptance test process. These automated tests include input validation as well as authentication and authorization enforcement.
  • Scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
  • Automated security updates, such as patches for known vulnerabilities, by means of the DevOps pipeline with an audit log.
  • Automated service configuration management, allowing for compliance with security policies and the elimination of manual errors.
  • Continuous monitoring, audit, and remediation of security defects across the application lifecycle.

DevSecOps Training Bootcamp Course by Tonex

DevSecOps Training Bootcamp is a 3-day practical DevSecOps course where participants gain in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.

DevSecOps training bootcamp focuses on the concepts, principles, processes, policies, guidelines, mitigation, applied risk management framework (RMF), technical skills and best practices to apply security and risk management/profiling a DevOps priority. Participants learn about DevOps and DevSecOps to take full advantage of the agility and responsiveness of a secure DevOps approach, IT security across SDLC and full life cycle of your apps.

As IT Modernization efforts Grow it’s important to understand the combination of development and operations as an approach that could help organizations modernize and speed new development efforts, especially as they migrate to cloud services.

Effective DevOps ensures rapid and frequent development cycles but inappropriate and outdated security practices and policies can undo even the most efficient DevOps initiatives. DevSecOps, integration of DevOps and security, is a shared responsibility to emphasize the need to build a security foundation into DevOps initiatives.

Who Should Attend?

  • Security Staff
  • IT Leadership
  • IT Infrastructure
  • CIOs / CTOs /CSO
  • Configuration Managers
  • Developers and Application Team Members and Leads
  • IT Operations Staff
  • IT Project & Program Managers
  • Product Owners and Managers
  • Release Engineers
  • Agile Staff and ScrumMasters
  • Software Developers
  • Software Team Leads
  • System Admin

Learning Objectives

Upon completion of DevSecOps Training Bootcamp, participants will learn how to:

  • Identify and explain the phases of the DevOps life cycle
  • Define the roles and responsibilities that support DevOps environments
  • Describe the security components of and identify the risk principles of DevOps
  • Analyze, assess, and automate DevOps application security across
    Software Development Life cycle (SDLC)
  • Identify and explain the characteristics required to satisfy the security definition of DevOps computing
  • Use DevOps-style security metrics to measure and monitor security practices and performance
  • Differentiate between various security models and frameworks that are incorporated into the DevOps environments
  • Contrast security aspects of SDLC in standard DevOps environments, technical use cases and software requirements
  • Discuss strategies for safeguarding DevOps approach
  • Explain strategies for protecting data at rest and data in motion
  • Conduct gap analysis between DevOps security baseline and industry-standard best practices
  • Evaluate and implement the security controls necessary to ensure confidentiality, integrity and availability (CIA) in DevOps environments
  • Conduct risk assessments of existing and proposed DevOps environments
  • Integrate the Risk Management Framework (RMF) with DevOps
  • Describe the role of encryption in protecting data and specific strategies for key management
  • Compare a variety of DevOps business continuity / disaster recovery strategies and select an appropriate solution to specific business requirements
  • Assess key DevSecOps metrics and tools to continuously monitor DevOps security risks

Course Agenda

DevOps vs. DevSecOps

  • Agile and DevOps
  • Intro to DevOps Practices
  • Principles of DevOps and DevOps Life cycle
  • Traditional SDLC
  • Requirements, Design, Implementation, Operations and Maintenance
  • Integration of Development, Software Engineering, Security and Operation
  • The “Sec” in DevSecOps
  • DevSecOps Benefits
  • DevOps, Security and Compliance
  • Continuous Integration and Continuous Delivery (CI/CD)
  • DevOps Security Policies, Roles and Compliance
  • DevOps Application Security across Software Development Life cycle (SDLC)
  • Assessing DevOps Security and Risks

DevOps Security Requirements

  • Architecture, Design and Threat Modeling Requirements
  • Data Storage and Privacy Requirements
  • Cryptography Requirements
  • Authentication and Session Management Requirements
  • Network Communication Requirements
  • Platform Interaction Requirements
  • Code Quality and Build Setting Requirements
  • Resilience Requirements
  • Integrating security within DevOps
  • Problems with traditional controls
  • A New Secure SDLC Approach
  • Steps to DevOps security
  • Traditional Web Application Security Controls
  • Penetration Testing
  • WAF (Web Application Firewall)
  • Penetration Testing
  • Code Analysis

DevOps Typical Security Activities

  • DevOps Typical Activities
  • Traditional Secure SDLC
  • Security foundation into DevOps initiatives
  • AppSec in a DevOps World
  • Applications Architectural Concepts & Design Requirements
  • DevOps Application Security
  • CI/CD pipeline to Embed Security
  • Securing CI/CD
  • Self Service
  • Security Champions
  • Use Maturity Models

Tools for Securing DevOps

  • DevOps Toolchain
  • Tools to secure software development at various stages of the CI/CD pipeline
  • Vulnerabilities and Applications Safety
  • DevOps Security Tools
  • OWASP SonarQube
  • OWASP ZAP
  • OWASP Dependency-Check
  • OWASP Glue
  • Anchore
  • Clair-CoreOS
  • FOSSA
  • Cyberark Conjur

Principles Behind DevSecOps

  • DevOps, IT Modernization, and Information Security
  • DevSecOps and Principles behind “DevOps” Security
  • Uniting DevOps and Security
  • DevOps Vulnerabilities
  • Business Requirements
  • Development Teams
  • DevSecOps and SDLC Activities
  • Tools versus Processes
  • Strengthen and Scale security using DevSecOps
  • Assessment and Certification
  • Everything as Code (EaC)
  • Compliance as Code
  • Hardening via configuration management systems
  • DevOps Data Security
  • Legal & Compliance
  • Security Tools in CI/CD
  • Compliance as Code and hardening via configuration management systems
  • Use Secure by Default Frameworks
  • Services Shift Security Left

DevSecOps and Application Security

  • DevOps and Security
  • OWASP AppSec Pipeline
  • The OWASP AppSec Rugged DevOps Pipeline Project Security as a DevOps practice
  • Application Security Risk Assessment and Testing
  • Application Threat Modeling
  • Security shifting to the left
  • Static Code Analysis (SAST)
  • Dynamic Testing (DAST)
  • Runtime Protection
  • Infrastructure/Platform Vulnerability Scanning
  • Platform configuration & compliance
  • Deployment of controls
  • Firewalling, micro-segmentation
  • WAFs, DBSGs, etc.
  • RASP
  • Identity & Access Management
  • Automated & programmatically provisioned

How to DevSecOps

  • Culture
  • Measurements
  • Automation and Sharing
  • Core Values of DevOps
  • Scale security with DevOps
  • DevSecOps Implementation
  • Shift Security Left
  • Use CI/CD pipeline to Embed Security
  • Self Service
  • Gives developers and operations visibility into security activities
  • Security Champions
  • DevSecOps and Operations
  • Change management and DevSecOps
  • DevSecOps for Defense and Government Agencies

DevSecOps Maturity

  • DevSecOps Maturity Model (DSOMM)
  • Static versus Dynamic Depth
  • Static Code Analysis and Dynamic Depth
  • Intensity
  • Consolidation
  • OWASP DevSecOps Studio Project

Risk Management Framework (RMF), DevOps and DevSecOps

  • DevSecOps and RMF
  • Encryption in protecting data and specific strategies for key management
  • DevSecOps Metrics
  • Tools to Monitor DevOps Security Risks
  • Applying DevOps to DoD5000 Processes
  • DevSecOps and Authority to Pperate (ATO)
  • Integration of DevSecOps and RMF for Continuous ATO
  • Software integrated tools, services, and standards

Workshops and Group Activities

Workshop 1:  Plan for DevSecOps

  • DevOps, developers and operations
  • Improving the quality
  • DevOps culture to ensure secure, high-quality software
  • Unsecured APIs and frameworks
  • Security sensitive code portions
  • Regulatory problems
  • Identity and Access Management (IAM)

Workshop 2:   Secure Code Overview

  • Tools for Automating Secure Coding
  • Developer guidelines & checklists
  • Coding Standards
  • Common pitfalls and mitigation
  • Security Testing
  • (RASP)

Workshop 3:   Create a DevSecOps plan

  • DevOps and security
  • Tools you need to implement DevSecOps
  • Train your team in the culture of DevSecOps
  • Patterns for security
  • Scanning

 

DevSecOps Training Bootcamp

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.