Home » Courses » IT and Technology Courses » IT Modernization, Agile and DevOps » DevSecOps Training Bootcamp

DevSecOps Training Bootcamp

Length: 3 Days
Print Friendly, PDF & Email

DevSecOps Training Bootcamp

DevSecOps Training Bootcamp is a 3-day course where participant identify and explain the phases of the DevOps life cycle as well use DevOps-style security metrics to measure and monitor security practices and performance.

MBSE Clinic Training Course by Tonex

DevSecOps stands for development, security, and operations.

DevSecOps is an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.

In practicality, DevSecOps has come to mean thinking about application and infrastructure security from the start as well as automating some security gates to keep the DevOps workflow from slowing down.

Experts in this field contend that selecting the right tools to continuously integrate security with security features, can help meet these goals.

There’s that, but analysts say effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.

The big picture is this: DevSecOps highlights the need to invite security teams and partners at the outset of DevOps initiatives to build in information security and set a plan for security automation.

Of the many benefits from using a DevSecOps approach, non is coveted more than the rapid, cost-effective deliver of DevSecOps.

It’s no secret that there can be huge security problems resulting in big time delays when organizations develop software without a DevSecOps objective.

Fixing the code and security issues can be time-consuming and expensive. The rapid, secure delivery of DevSecOps saves time and reduces costs by minimizing the need to repeat a process to address security issues after the fact.

Organizations are experiencing even greater efficiency and cost-effectiveness when integrated security cuts out duplicative reviews and unnecessary rebuilds, resulting in more secure code.

Another major advantage of DevSecOps is improved, proactive security itself.

This happens because DevSecOps introduces cybersecurity processes from the beginning of the development cycle. Throughout the development cycle, the code is reviewed, audited, scanned, and tested for security issues.

These issues are addressed as soon as they are identified. Security problems are fixed before additional dependencies are introduced. Security issues become less expensive to fix when protective technology is identified and implemented early in the cycle.

Additionally, better collaboration between development, security, and operations teams improves an organization’s response to incidences and problems when they occur.

DevSecOps Training Bootcamp Course by Tonex

DevSecOps Training Bootcamp is a 3-day practical DevSecOps course where participants gain in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps.

DevSecOps training bootcamp focuses on the concepts, principles, processes, policies, guidelines, mitigation, applied risk management framework (RMF), technical skills and best practices to apply security and risk management/profiling a DevOps priority. Participants learn about DevOps and DevSecOps to take full advantage of the agility and responsiveness of a secure DevOps approach, IT security across SDLC and full life cycle of your apps.

As IT Modernization efforts Grow it’s important to understand the combination of development and operations as an approach that could help organizations modernize and speed new development efforts, especially as they migrate to cloud services.

Effective DevOps ensures rapid and frequent development cycles but inappropriate and outdated security practices and policies can undo even the most efficient DevOps initiatives. DevSecOps, integration of DevOps and security, is a shared responsibility to emphasize the need to build a security foundation into DevOps initiatives.

Who Should Attend?

  • Security Staff
  • IT Leadership
  • IT Infrastructure
  • CIOs / CTOs /CSO
  • Configuration Managers
  • Developers and Application Team Members and Leads
  • IT Operations Staff
  • IT Project & Program Managers
  • Product Owners and Managers
  • Release Engineers
  • Agile Staff and ScrumMasters
  • Software Developers
  • Software Team Leads
  • System Admin

Learning Objectives

Upon completion of DevSecOps Training Bootcamp, participants will learn how to:

  • Identify and explain the phases of the DevOps life cycle
  • Define the roles and responsibilities that support DevOps environments
  • Describe the security components of and identify the risk principles of DevOps
  • Analyze, assess, and automate DevOps application security across
    Software Development Life cycle (SDLC)
  • Identify and explain the characteristics required to satisfy the security definition of DevOps computing
  • Use DevOps-style security metrics to measure and monitor security practices and performance
  • Differentiate between various security models and frameworks that are incorporated into the DevOps environments
  • Contrast security aspects of SDLC in standard DevOps environments, technical use cases and software requirements
  • Discuss strategies for safeguarding DevOps approach
  • Explain strategies for protecting data at rest and data in motion
  • Conduct gap analysis between DevOps security baseline and industry-standard best practices
  • Evaluate and implement the security controls necessary to ensure confidentiality, integrity and availability (CIA) in DevOps environments
  • Conduct risk assessments of existing and proposed DevOps environments
  • Integrate the Risk Management Framework (RMF) with DevOps
  • Describe the role of encryption in protecting data and specific strategies for key management
  • Compare a variety of DevOps business continuity / disaster recovery strategies and select an appropriate solution to specific business requirements
  • Assess key DevSecOps metrics and tools to continuously monitor DevOps security risks

Course Agenda

DevOps vs. DevSecOps

  • Agile and DevOps
  • Intro to DevOps Practices
  • Principles of DevOps and DevOps Life cycle
  • Traditional SDLC
  • Requirements, Design, Implementation, Operations and Maintenance
  • Integration of Development, Software Engineering, Security and Operation
  • The “Sec” in DevSecOps
  • DevSecOps Benefits
  • DevOps, Security and Compliance
  • Continuous Integration and Continuous Delivery (CI/CD)
  • DevOps Security Policies, Roles and Compliance
  • DevOps Application Security across Software Development Life cycle (SDLC)
  • Assessing DevOps Security and Risks

DevOps Security Requirements

  • Architecture, Design and Threat Modeling Requirements
  • Data Storage and Privacy Requirements
  • Cryptography Requirements
  • Authentication and Session Management Requirements
  • Network Communication Requirements
  • Platform Interaction Requirements
  • Code Quality and Build Setting Requirements
  • Resilience Requirements
  • Integrating security within DevOps
  • Problems with traditional controls
  • A New Secure SDLC Approach
  • Steps to DevOps security
  • Traditional Web Application Security Controls
  • Penetration Testing
  • WAF (Web Application Firewall)
  • Penetration Testing
  • Code Analysis

DevOps Typical Security Activities

  • DevOps Typical Activities
  • Traditional Secure SDLC
  • Security foundation into DevOps initiatives
  • AppSec in a DevOps World
  • Applications Architectural Concepts & Design Requirements
  • DevOps Application Security
  • CI/CD pipeline to Embed Security
  • Securing CI/CD
  • Self Service
  • Security Champions
  • Use Maturity Models

Tools for Securing DevOps

  • DevOps Toolchain
  • Tools to secure software development at various stages of the CI/CD pipeline
  • Vulnerabilities and Applications Safety
  • DevOps Security Tools
  • OWASP SonarQube
  • OWASP ZAP
  • OWASP Dependency-Check
  • OWASP Glue
  • Anchore
  • Clair-CoreOS
  • FOSSA
  • Cyberark Conjur

Principles Behind DevSecOps

  • DevOps, IT Modernization, and Information Security
  • DevSecOps and Principles behind “DevOps” Security
  • Uniting DevOps and Security
  • DevOps Vulnerabilities
  • Business Requirements
  • Development Teams
  • DevSecOps and SDLC Activities
  • Tools versus Processes
  • Strengthen and Scale security using DevSecOps
  • Assessment and Certification
  • Everything as Code (EaC)
  • Compliance as Code
  • Hardening via configuration management systems
  • DevOps Data Security
  • Legal & Compliance
  • Security Tools in CI/CD
  • Compliance as Code and hardening via configuration management systems
  • Use Secure by Default Frameworks
  • Services Shift Security Left

DevSecOps and Application Security

  • DevOps and Security
  • OWASP AppSec Pipeline
  • The OWASP AppSec Rugged DevOps Pipeline Project Security as a DevOps practice
  • Application Security Risk Assessment and Testing
  • Application Threat Modeling
  • Security shifting to the left
  • Static Code Analysis (SAST)
  • Dynamic Testing (DAST)
  • Runtime Protection
  • Infrastructure/Platform Vulnerability Scanning
  • Platform configuration & compliance
  • Deployment of controls
  • Firewalling, micro-segmentation
  • WAFs, DBSGs, etc.
  • RASP
  • Identity & Access Management
  • Automated & programmatically provisioned

How to DevSecOps

  • Culture
  • Measurements
  • Automation and Sharing
  • Core Values of DevOps
  • Scale security with DevOps
  • DevSecOps Implementation
  • Shift Security Left
  • Use CI/CD pipeline to Embed Security
  • Self Service
  • Gives developers and operations visibility into security activities
  • Security Champions
  • DevSecOps and Operations
  • Change management and DevSecOps
  • DevSecOps for Defense and Government Agencies

DevSecOps Maturity

  • DevSecOps Maturity Model (DSOMM)
  • Static versus Dynamic Depth
  • Static Code Analysis and Dynamic Depth
  • Intensity
  • Consolidation
  • OWASP DevSecOps Studio Project

Risk Management Framework (RMF), DevOps and DevSecOps

  • DevSecOps and RMF
  • Encryption in protecting data and specific strategies for key management
  • DevSecOps Metrics
  • Tools to Monitor DevOps Security Risks
  • Applying DevOps to DoD5000 Processes
  • DevSecOps and Authority to Pperate (ATO)
  • Integration of DevSecOps and RMF for Continuous ATO
  • Software integrated tools, services, and standards

Workshops and Group Activities

Workshop 1:  Plan for DevSecOps

  • DevOps, developers and operations
  • Improving the quality
  • DevOps culture to ensure secure, high-quality software
  • Unsecured APIs and frameworks
  • Security sensitive code portions
  • Regulatory problems
  • Identity and Access Management (IAM)

Workshop 2:   Secure Code Overview

  • Tools for Automating Secure Coding
  • Developer guidelines & checklists
  • Coding Standards
  • Common pitfalls and mitigation
  • Security Testing
  • (RASP)

Workshop 3:   Create a DevSecOps plan

  • DevOps and security
  • Tools you need to implement DevSecOps
  • Train your team in the culture of DevSecOps
  • Patterns for security
  • Scanning

 

DevSecOps Training Bootcamp

Request More Information

Please enter contact information followed by your questions, comments and/or request(s):

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.