Length: 3 Days
Print Friendly, PDF & Email

DevSecOps Training Bootcamp

One can make the argument that DevSecOps (development, security and operations) is important to every development project.

The reason: DevSecOps is a an approach that produces shorter development cycles, and shorter development cycles allow teams to respond to and fix problems faster, increase efficiency, test new features, and keep users happy.

Shorter development cycles also help to strengthen your team and improve their efficiency.

Another way of looking at it: DevSecOps is the new DevOps, only complete.

Since its inception, countless developers have adopted DevOps to speed up the software delivery process and increase communication between developers and IT Ops teams.

In today’s world, software development is holistic and iterative, making the siloed approach to security work contrary to the DevOps model, causing delays.

Applying security throughout the entire application lifecycle is the only way to properly secure an application.

DevSecOps requires developers and security personnel to have a mutual understanding and respect for what the other group does. A successful DevSecOps process reduces stress on both teams and avoids vulnerabilities being inadvertently built into the code.

Corporate giants such as Microsoft have turned to a DevSecOps approach in order to achieve common purpose between its development and security operations. Consequently, this shared purpose has resulted in better security for both its internal and commercial software and services.

Microsoft’s approach is simple and is based on good, consistent training and communication. However, for many organizations, executing that approach is not so simple. It requires buy-in from both groups, ongoing training, effective communication and, importantly, a strong endorsement from executive management.

Experts in this field recommend that teams share security best‑practices at Red Zone meetings. This way it’s possible to leverage each other’s best practices in the areas of technology, learnings and capability.

Analysts are quick to point out the importance of DevSecOps because a lack of understanding and poor communication can doom the relationship between security and development teams.

Additionally, analysts warn that switching to DevSecOps requires a mindset shift in several areas. Software engineers need to be on board with continuous updates.

For SaaS providers hosting applications in the cloud, having continuously updated software is critical.

DevOps without integrated security is no longer compatible with modern software development and deployment. In order to prioritize security throughout the entire app life cycle, DevOps has been transformed into this new model called DevSecOps.

DevSecOps Training Bootcamp Course by Tonex

DevSecOps Training Bootcamp is a 3-day practical DevSecOps course where participants gain in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.

DevSecOps training bootcamp focuses on the concepts, principles, processes, policies, guidelines, mitigation, applied risk management framework (RMF), technical skills and best practices to apply security and risk management/profiling a DevOps priority. Participants learn about DevOps and DevSecOps to take full advantage of the agility and responsiveness of a secure DevOps approach, IT security across SDLC and full life cycle of your apps.

As IT Modernization efforts Grow it’s important to understand the combination of development and operations as an approach that could help organizations modernize and speed new development efforts, especially as they migrate to cloud services.

Effective DevOps ensures rapid and frequent development cycles but inappropriate and outdated security practices and policies can undo even the most efficient DevOps initiatives. DevSecOps, integration of DevOps and security, is a shared responsibility to emphasize the need to build a security foundation into DevOps initiatives.

Who Should Attend?

  • Security Staff
  • IT Leadership
  • IT Infrastructure
  • CIOs / CTOs /CSO
  • Configuration Managers
  • Developers and Application Team Members and Leads
  • IT Operations Staff
  • IT Project & Program Managers
  • Product Owners and Managers
  • Release Engineers
  • Agile Staff and ScrumMasters
  • Software Developers
  • Software Team Leads
  • System Admin

Learning Objectives

Upon completion of DevSecOps Training Bootcamp, participants will learn how to:

  • Identify and explain the phases of the DevOps life cycle
  • Define the roles and responsibilities that support DevOps environments
  • Describe the security components of and identify the risk principles of DevOps
  • Analyze, assess, and automate DevOps application security across
    Software Development Life cycle (SDLC)
  • Identify and explain the characteristics required to satisfy the security definition of DevOps computing
  • Use DevOps-style security metrics to measure and monitor security practices and performance
  • Differentiate between various security models and frameworks that are incorporated into the DevOps environments
  • Contrast security aspects of SDLC in standard DevOps environments, technical use cases and software requirements
  • Discuss strategies for safeguarding DevOps approach
  • Explain strategies for protecting data at rest and data in motion
  • Conduct gap analysis between DevOps security baseline and industry-standard best practices
  • Evaluate and implement the security controls necessary to ensure confidentiality, integrity and availability (CIA) in DevOps environments
  • Conduct risk assessments of existing and proposed DevOps environments
  • Integrate the Risk Management Framework (RMF) with DevOps
  • Describe the role of encryption in protecting data and specific strategies for key management
  • Compare a variety of DevOps business continuity / disaster recovery strategies and select an appropriate solution to specific business requirements
  • Assess key DevSecOps metrics and tools to continuously monitor DevOps security risks

Course Agenda

DevOps vs. DevSecOps

  • Agile and DevOps
  • Intro to DevOps Practices
  • Principles of DevOps and DevOps Life cycle
  • Traditional SDLC
  • Requirements, Design, Implementation, Operations and Maintenance
  • Integration of Development, Software Engineering, Security and Operation
  • The “Sec” in DevSecOps
  • DevSecOps Benefits
  • DevOps, Security and Compliance
  • Continuous Integration and Continuous Delivery (CI/CD)
  • DevOps Security Policies, Roles and Compliance
  • DevOps Application Security across Software Development Life cycle (SDLC)
  • Assessing DevOps Security and Risks

DevOps Security Requirements

  • Architecture, Design and Threat Modeling Requirements
  • Data Storage and Privacy Requirements
  • Cryptography Requirements
  • Authentication and Session Management Requirements
  • Network Communication Requirements
  • Platform Interaction Requirements
  • Code Quality and Build Setting Requirements
  • Resilience Requirements
  • Integrating security within DevOps
  • Problems with traditional controls
  • A New Secure SDLC Approach
  • Steps to DevOps security
  • Traditional Web Application Security Controls
  • Penetration Testing
  • WAF (Web Application Firewall)
  • Penetration Testing
  • Code Analysis

DevOps Typical Security Activities

  • DevOps Typical Activities
  • Traditional Secure SDLC
  • Security foundation into DevOps initiatives
  • AppSec in a DevOps World
  • Applications Architectural Concepts & Design Requirements
  • DevOps Application Security
  • CI/CD pipeline to Embed Security
  • Securing CI/CD
  • Self Service
  • Security Champions
  • Use Maturity Models

Tools for Securing DevOps

  • DevOps Toolchain
  • Tools to secure software development at various stages of the CI/CD pipeline
  • Vulnerabilities and Applications Safety
  • DevOps Security Tools
  • OWASP SonarQube
  • OWASP ZAP
  • OWASP Dependency-Check
  • OWASP Glue
  • Anchore
  • Clair-CoreOS
  • FOSSA
  • Cyberark Conjur

Principles Behind DevSecOps

  • DevOps, IT Modernization, and Information Security
  • DevSecOps and Principles behind “DevOps” Security
  • Uniting DevOps and Security
  • DevOps Vulnerabilities
  • Business Requirements
  • Development Teams
  • DevSecOps and SDLC Activities
  • Tools versus Processes
  • Strengthen and Scale security using DevSecOps
  • Assessment and Certification
  • Everything as Code (EaC)
  • Compliance as Code
  • Hardening via configuration management systems
  • DevOps Data Security
  • Legal & Compliance
  • Security Tools in CI/CD
  • Compliance as Code and hardening via configuration management systems
  • Use Secure by Default Frameworks
  • Services Shift Security Left

DevSecOps and Application Security

  • DevOps and Security
  • OWASP AppSec Pipeline
  • The OWASP AppSec Rugged DevOps Pipeline Project Security as a DevOps practice
  • Application Security Risk Assessment and Testing
  • Application Threat Modeling
  • Security shifting to the left
  • Static Code Analysis (SAST)
  • Dynamic Testing (DAST)
  • Runtime Protection
  • Infrastructure/Platform Vulnerability Scanning
  • Platform configuration & compliance
  • Deployment of controls
  • Firewalling, micro-segmentation
  • WAFs, DBSGs, etc.
  • RASP
  • Identity & Access Management
  • Automated & programmatically provisioned

How to DevSecOps

  • Culture
  • Measurements
  • Automation and Sharing
  • Core Values of DevOps
  • Scale security with DevOps
  • DevSecOps Implementation
  • Shift Security Left
  • Use CI/CD pipeline to Embed Security
  • Self Service
  • Gives developers and operations visibility into security activities
  • Security Champions
  • DevSecOps and Operations
  • Change management and DevSecOps
  • DevSecOps for Defense and Government Agencies

DevSecOps Maturity

  • DevSecOps Maturity Model (DSOMM)
  • Static versus Dynamic Depth
  • Static Code Analysis and Dynamic Depth
  • Intensity
  • Consolidation
  • OWASP DevSecOps Studio Project

Risk Management Framework (RMF), DevOps and DevSecOps

  • DevSecOps and RMF
  • Encryption in protecting data and specific strategies for key management
  • DevSecOps Metrics
  • Tools to Monitor DevOps Security Risks
  • Applying DevOps to DoD5000 Processes
  • DevSecOps and Authority to Pperate (ATO)
  • Integration of DevSecOps and RMF for Continuous ATO
  • Software integrated tools, services, and standards

Workshops and Group Activities

Workshop 1:  Plan for DevSecOps

  • DevOps, developers and operations
  • Improving the quality
  • DevOps culture to ensure secure, high-quality software
  • Unsecured APIs and frameworks
  • Security sensitive code portions
  • Regulatory problems
  • Identity and Access Management (IAM)

Workshop 2:   Secure Code Overview

  • Tools for Automating Secure Coding
  • Developer guidelines & checklists
  • Coding Standards
  • Common pitfalls and mitigation
  • Security Testing
  • (RASP)

Workshop 3:   Create a DevSecOps plan

  • DevOps and security
  • Tools you need to implement DevSecOps
  • Train your team in the culture of DevSecOps
  • Patterns for security
  • Scanning

 

DevSecOps Training Bootcamp

Request More Information

Please enter contact information followed by your questions, comments and/or request(s):
  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.